This is an automated email from the ASF dual-hosted git repository.
jackietien pushed a commit to branch rel/1.2
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/rel/1.2 by this push:
new 9069f4cc4b2 [To rel/1.2] Revert unfinished auth module
9069f4cc4b2 is described below
commit 9069f4cc4b2b576b12422ff27ba3f85cab12619a
Author: Potato <[email protected]>
AuthorDate: Tue Aug 1 14:26:20 2023 +0800
[To rel/1.2] Revert unfinished auth module
---
.../confignode/it/IoTDBClusterAuthorityIT.java | 27 +--
.../java/org/apache/iotdb/db/it/IoTDBAuthIT.java | 178 +++++++++--------
.../db/it/IoTDBSyntaxConventionIdentifierIT.java | 52 ++++-
.../java/org/apache/iotdb/db/it/cq/IoTDBCQIT.java | 4 +-
.../iotdb/db/it/selectinto/IoTDBSelectIntoIT.java | 10 +-
.../db/it/trigger/IoTDBTriggerManagementIT.java | 14 +-
.../org/apache/iotdb/db/qp/sql/IoTDBSqlParser.g4 | 2 -
.../antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4 | 217 ++++++++++++++++-----
.../iotdb/confignode/persistence/AuthorInfo.java | 2 +-
.../request/ConfigPhysicalPlanSerDeTest.java | 3 +-
.../confignode/persistence/AuthorInfoTest.java | 39 ++--
.../org/apache/iotdb/db/auth/AuthorityChecker.java | 121 +++++++-----
.../iotdb/db/auth/ClusterAuthorityFetcher.java | 12 +-
.../db/queryengine/plan/parser/ASTVisitor.java | 6 +
.../iotdb/db/auth/AuthorizerManagerTest.java | 12 +-
.../auth/authorizer/LocalFileAuthorizerTest.java | 16 +-
.../iotdb/db/auth/entity/PathPrivilegeTest.java | 4 +-
.../org/apache/iotdb/db/auth/entity/RoleTest.java | 5 +-
.../org/apache/iotdb/db/auth/entity/UserTest.java | 6 +-
.../db/auth/user/LocalFileUserManagerTest.java | 12 +-
.../security/encrypt/MessageDigestEncryptTest.java | 2 +-
.../commons/auth/authorizer/BasicAuthorizer.java | 2 +-
.../iotdb/commons/auth/entity/PrivilegeType.java | 118 +++++------
.../iotdb/commons/auth/role/BasicRoleManager.java | 3 +-
.../iotdb/commons/auth/user/BasicUserManager.java | 15 +-
.../iotdb/commons/auth/user/IUserManager.java | 3 +-
.../org/apache/iotdb/commons/utils/AuthUtils.java | 111 +++++++----
27 files changed, 611 insertions(+), 385 deletions(-)
diff --git
a/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java
b/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java
index 30cec1d28a1..dbef8dc24ed 100644
---
a/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java
+++
b/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java
@@ -68,7 +68,8 @@ public class IoTDBClusterAuthorityIT {
EnvFactory.getEnv().cleanClusterEnvironment();
}
- private void cleanUserAndRole(IConfigNodeRPCService.Iface client) throws
TException {
+ private void cleanUserAndRole(IConfigNodeRPCService.Iface client)
+ throws TException, IllegalPathException {
TSStatus status;
// clean user
@@ -120,13 +121,15 @@ public class IoTDBClusterAuthorityIT {
TCheckUserPrivilegesReq checkUserPrivilegesReq;
Set<Integer> privilegeList = new HashSet<>();
- privilegeList.add(PrivilegeType.MANAGE_USER.ordinal());
+ privilegeList.add(PrivilegeType.DELETE_USER.ordinal());
+ privilegeList.add(PrivilegeType.CREATE_USER.ordinal());
Set<Integer> revokePrivilege = new HashSet<>();
- revokePrivilege.add(PrivilegeType.MANAGE_USER.ordinal());
+ revokePrivilege.add(PrivilegeType.DELETE_USER.ordinal());
List<String> privilege = new ArrayList<>();
- privilege.add("root.** : MANAGE_USER");
+ privilege.add("root.** : CREATE_USER");
+ privilege.add("root.** : CREATE_USER");
List<PartialPath> paths = new ArrayList<>();
paths.add(new PartialPath("root.ln.**"));
@@ -156,7 +159,7 @@ public class IoTDBClusterAuthorityIT {
new TCheckUserPrivilegesReq(
"tempuser0",
AuthUtils.serializePartialPathList(paths),
- PrivilegeType.MANAGE_USER.ordinal());
+ PrivilegeType.DELETE_USER.ordinal());
status = client.checkUserPrivileges(checkUserPrivilegesReq).getStatus();
assertEquals(TSStatusCode.NO_PERMISSION.getStatusCode(),
status.getCode());
@@ -267,7 +270,7 @@ public class IoTDBClusterAuthorityIT {
new TCheckUserPrivilegesReq(
"tempuser0",
AuthUtils.serializePartialPathList(paths),
- PrivilegeType.MANAGE_USER.ordinal());
+ PrivilegeType.DELETE_USER.ordinal());
status = client.checkUserPrivileges(checkUserPrivilegesReq).getStatus();
assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
@@ -353,7 +356,6 @@ public class IoTDBClusterAuthorityIT {
authorizerResp = client.queryPermission(authorizerReq);
status = authorizerResp.getStatus();
assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- privilege.remove(0);
Assert.assertEquals(
privilege,
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE));
@@ -386,6 +388,7 @@ public class IoTDBClusterAuthorityIT {
authorizerResp = client.queryPermission(authorizerReq);
status = authorizerResp.getStatus();
assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
+ privilege.remove(0);
assertEquals(
0,
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE).size());
@@ -481,12 +484,10 @@ public class IoTDBClusterAuthorityIT {
authorizerResp = client.queryPermission(authorizerReq);
status = authorizerResp.getStatus();
assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Set<PrivilegeType> allPrivilegeTypes =
PrivilegeType.ALL.getStorablePrivilege();
- List<String> resultPrivilegeTypes =
-
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE);
- Assert.assertEquals(allPrivilegeTypes.size(),
resultPrivilegeTypes.size());
- for (int i = 0; i < allPrivilegeTypes.size(); i++) {
-
Assert.assertTrue(resultPrivilegeTypes.contains(PrivilegeType.values()[i].toString()));
+ for (int i = 0; i < PrivilegeType.values().length; i++) {
+ assertEquals(
+ PrivilegeType.values()[i].toString(),
+
authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE).get(i));
}
} catch (Exception e) {
e.printStackTrace();
diff --git
a/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBAuthIT.java
b/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBAuthIT.java
index 2df47a3588b..667eca5547c 100644
--- a/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBAuthIT.java
+++ b/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBAuthIT.java
@@ -81,7 +81,7 @@ public class IoTDBAuthIT {
() -> userStmt.execute("INSERT INTO root.a(timestamp, b) VALUES
(100, 100)"));
Assert.assertThrows(
SQLException.class,
- () -> userStmt.execute("GRANT USER tempuser PRIVILEGES
WRITE_SCHEMA ON root.a"));
+ () -> userStmt.execute("GRANT USER tempuser PRIVILEGES
CREATE_TIMESERIES ON root.a"));
adminStmt.execute("GRANT USER tempuser PRIVILEGES ALL on root.**");
@@ -89,24 +89,11 @@ public class IoTDBAuthIT {
userStmt.execute("CREATE TIMESERIES root.a.b WITH
DATATYPE=INT32,ENCODING=PLAIN");
userStmt.execute("INSERT INTO root.a(timestamp, b) VALUES (100, 100)");
userStmt.execute("SELECT * from root.a");
- userStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON
root.a");
- userStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON
root.b.b");
+ userStmt.execute("GRANT USER tempuser PRIVILEGES SET_STORAGE_GROUP ON
root.a");
+ userStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_TIMESERIES ON
root.b.b");
adminStmt.execute("REVOKE USER tempuser PRIVILEGES ALL on root.**");
- adminStmt.execute("REVOKE USER tempuser PRIVILEGES WRITE_SCHEMA ON
root.b.b");
- adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE,
MANAGE_DATABASE on root.**");
-
- userStmt.execute("CREATE DATABASE root.c");
- userStmt.execute("CREATE TIMESERIES root.c.d WITH
DATATYPE=INT32,ENCODING=PLAIN");
- userStmt.execute("INSERT INTO root.c(timestamp, d) VALUES (100, 100)");
- userStmt.execute("SELECT * from root.c");
-
- adminStmt.execute("REVOKE USER tempuser PRIVILEGES WRITE,
MANAGE_DATABASE on root.**");
- adminStmt.execute("GRANT USER tempuser PRIVILEGES READ on root.**");
-
- userStmt.execute("SELECT * from root.c");
-
- adminStmt.execute("REVOKE USER tempuser PRIVILEGES READ on root.**");
+ adminStmt.execute("REVOKE USER tempuser PRIVILEGES CREATE_TIMESERIES
ON root.b.b");
Assert.assertThrows(SQLException.class, () -> userStmt.execute("CREATE
DATABASE root.b"));
Assert.assertThrows(
@@ -119,7 +106,7 @@ public class IoTDBAuthIT {
Assert.assertThrows(SQLException.class, () -> userStmt.execute("SELECT
* from root.a"));
Assert.assertThrows(
SQLException.class,
- () -> userStmt.execute("GRANT USER tempuser PRIVILEGES
WRITE_SCHEMA ON root.a"));
+ () -> userStmt.execute("GRANT USER tempuser PRIVILEGES
CREATE_TIMESERIES ON root.a"));
}
}
}
@@ -136,10 +123,20 @@ public class IoTDBAuthIT {
Assert.assertThrows(
SQLException.class, () -> userStmt.execute("CREATE DATABASE
root.sgtest"));
- adminStmt.execute("GRANT USER sgtest PRIVILEGES MANAGE_DATABASE ON
root.*");
+ adminStmt.execute("GRANT USER sgtest PRIVILEGES CREATE_DATABASE ON
root.*");
try {
userStmt.execute("CREATE DATABASE root.sgtest");
+ } catch (SQLException e) {
+ fail(e.getMessage());
+ }
+
+ Assert.assertThrows(
+ SQLException.class, () -> userStmt.execute("DELETE DATABASE
root.sgtest"));
+
+ adminStmt.execute("GRANT USER sgtest PRIVILEGES DELETE_STORAGE_GROUP
ON root.*");
+
+ try {
userStmt.execute("DELETE DATABASE root.sgtest");
} catch (SQLException e) {
fail(e.getMessage());
@@ -200,57 +197,65 @@ public class IoTDBAuthIT {
// grant a non-existing user
Assert.assertThrows(
SQLException.class,
- () -> adminStmt.execute("GRANT USER nulluser PRIVILEGES
WRITE_SCHEMA on root.a"));
+ () -> adminStmt.execute("GRANT USER nulluser PRIVILEGES
CREATE_DATABASE on root.a"));
// grant a non-existing privilege
Assert.assertThrows(
SQLException.class,
() -> adminStmt.execute("GRANT USER tempuser PRIVILEGES
NOT_A_PRIVILEGE on root.a"));
- adminStmt.execute("GRANT USER tempuser PRIVILEGES MANAGE_USER on
root.**");
// duplicate grant
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_USER on
root.**");
Assert.assertThrows(
SQLException.class,
- () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES
MANAGE_USER on root.**"));
- // grant on an illegal seriesPath
+ () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES
CREATE_USER on root.**"));
+ // grant on a illegal seriesPath
Assert.assertThrows(
SQLException.class,
- () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES
WRITE_SCHEMA on a.b"));
+ () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES
DELETE_TIMESERIES on a.b"));
// grant admin
Assert.assertThrows(
SQLException.class,
- () -> adminStmt.execute("GRANT USER root PRIVILEGES WRITE_SCHEMA
on root.a.b"));
+ () -> adminStmt.execute("GRANT USER root PRIVILEGES
DELETE_TIMESERIES on root.a.b"));
// no privilege to grant
Assert.assertThrows(
SQLException.class,
- () -> userStmt.execute("GRANT USER tempuser PRIVILEGES
WRITE_SCHEMA on root.a.b"));
+ () -> userStmt.execute("GRANT USER tempuser PRIVILEGES
DELETE_TIMESERIES on root.a.b"));
// revoke a non-existing privilege
- adminStmt.execute("REVOKE USER tempuser PRIVILEGES MANAGE_USER on
root.**");
+ adminStmt.execute("REVOKE USER tempuser PRIVILEGES CREATE_USER on
root.**");
Assert.assertThrows(
SQLException.class,
- () -> adminStmt.execute("REVOKE USER tempuser PRIVILEGES
MANAGE_USER on root.**"));
+ () -> adminStmt.execute("REVOKE USER tempuser PRIVILEGES
CREATE_USER on root.**"));
// revoke a non-existing user
Assert.assertThrows(
SQLException.class,
- () -> adminStmt.execute("REVOKE USER tempuser1 PRIVILEGES
MANAGE_USER on root.**"));
- // revoke on an illegal seriesPath
+ () -> adminStmt.execute("REVOKE USER tempuser1 PRIVILEGES
CREATE_USER on root.**"));
+ // revoke on a illegal seriesPath
Assert.assertThrows(
SQLException.class,
- () -> adminStmt.execute("REVOKE USER tempuser PRIVILEGES
WRITE_SCHEMA on a.b"));
+ () -> adminStmt.execute("REVOKE USER tempuser PRIVILEGES
DELETE_TIMESERIES on a.b"));
// revoke admin
Assert.assertThrows(
SQLException.class,
- () -> adminStmt.execute("REVOKE USER root PRIVILEGES WRITE_SCHEMA
on root.a.b"));
+ () -> adminStmt.execute("REVOKE USER root PRIVILEGES
DELETE_TIMESERIES on root.a.b"));
// no privilege to revoke
Assert.assertThrows(
SQLException.class,
- () -> userStmt.execute("REVOKE USER tempuser PRIVILEGES
WRITE_SCHEMA on root.a.b"));
+ () ->
+ userStmt.execute("REVOKE USER tempuser PRIVILEGES
DELETE_TIMESERIES on root.a.b"));
// grant privilege to grant
Assert.assertThrows(
SQLException.class,
- () -> userStmt.execute("GRANT USER tempuser PRIVILEGES
WRITE_SCHEMA on root.a.b"));
+ () -> userStmt.execute("GRANT USER tempuser PRIVILEGES
DELETE_TIMESERIES on root.a.b"));
+
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES GRANT_USER_PRIVILEGE
on root.**");
+ userStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES on
root.**");
+
+ // grant privilege to revoke
+ Assert.assertThrows(
+ SQLException.class,
+ () -> userStmt.execute("REVOKE USER tempuser PRIVILEGES
DELETE_TIMESERIES on root.**"));
- adminStmt.execute("GRANT USER tempuser PRIVILEGES GRANT_PRIVILEGE on
root.**");
- userStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA on
root.**");
- userStmt.execute("REVOKE USER tempuser PRIVILEGES WRITE_SCHEMA on
root.**");
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES
REVOKE_USER_PRIVILEGE on root.**");
+ userStmt.execute("REVOKE USER tempuser PRIVILEGES DELETE_TIMESERIES on
root.**");
}
}
}
@@ -268,25 +273,23 @@ public class IoTDBAuthIT {
// grant and revoke the user the privilege to create time series
Assert.assertThrows(SQLException.class, () -> userStmt.execute("CREATE
DATABASE root.a"));
- adminStmt.execute("GRANT USER tempuser PRIVILEGES
MANAGE_DATABASE,WRITE_SCHEMA ON root.a");
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_DATABASE ON
root.a");
userStmt.execute("CREATE DATABASE root.a");
- adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON
root.a.b");
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_TIMESERIES ON
root.a.b");
userStmt.execute("CREATE TIMESERIES root.a.b WITH
DATATYPE=INT32,ENCODING=PLAIN");
// no privilege to create this one
Assert.assertThrows(SQLException.class, () -> userStmt.execute("CREATE
DATABASE root.b"));
// privilege already exists
Assert.assertThrows(
SQLException.class,
- () ->
- adminStmt.execute(
- "GRANT USER tempuser PRIVILEGES
MANAGE_DATABASE,WRITE_SCHEMA ON root.a"));
- // no privilege to create this one anymore
+ () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES
CREATE_DATABASE ON root.a"));
+ // no privilege to create this one any more
Assert.assertThrows(SQLException.class, () -> userStmt.execute("CREATE
DATABASE root.a"));
// no privilege to create timeseries
Assert.assertThrows(SQLException.class, () -> userStmt.execute("CREATE
DATABASE root.a"));
- adminStmt.execute("REVOKE USER tempuser PRIVILEGES
MANAGE_DATABASE,WRITE_SCHEMA ON root.a");
- // no privilege to create this one anymore
+ adminStmt.execute("REVOKE USER tempuser PRIVILEGES CREATE_DATABASE ON
root.a");
+ // no privilege to create this one any more
Assert.assertThrows(
SQLException.class,
() ->
@@ -294,10 +297,11 @@ public class IoTDBAuthIT {
// privilege already exists
Assert.assertThrows(
SQLException.class,
- () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES
WRITE_SCHEMA ON root.a.b"));
+ () ->
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES
CREATE_TIMESERIES ON root.a.b"));
- adminStmt.execute("REVOKE USER tempuser PRIVILEGES WRITE_SCHEMA ON
root.a.b");
- // no privilege to create this one anymore
+ adminStmt.execute("REVOKE USER tempuser PRIVILEGES CREATE_TIMESERIES
ON root.a.b");
+ // no privilege to create this one any more
Assert.assertThrows(
SQLException.class,
() ->
@@ -315,9 +319,9 @@ public class IoTDBAuthIT {
try (Connection userCon = EnvFactory.getEnv().getConnection("tempuser",
"temppw");
Statement userStmt = userCon.createStatement()) {
- adminStmt.execute("GRANT USER tempuser PRIVILEGES MANAGE_DATABASE ON
root.a");
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_DATABASE ON
root.a");
userStmt.execute("CREATE DATABASE root.a");
- adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON
root.a.b");
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_TIMESERIES ON
root.a.b");
userStmt.execute("CREATE TIMESERIES root.a.b WITH
DATATYPE=INT32,ENCODING=PLAIN");
// grant privilege to insert
@@ -325,25 +329,25 @@ public class IoTDBAuthIT {
SQLException.class,
() -> userStmt.execute("INSERT INTO root.a(timestamp, b) VALUES
(1,100)"));
- adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_DATA on
root.a.**");
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES INSERT_TIMESERIES on
root.a.**");
userStmt.execute("INSERT INTO root.a(timestamp, b) VALUES (1,100)");
// revoke privilege to insert
- adminStmt.execute("REVOKE USER tempuser PRIVILEGES WRITE_DATA on
root.a.**");
+ adminStmt.execute("REVOKE USER tempuser PRIVILEGES INSERT_TIMESERIES
on root.a.**");
Assert.assertThrows(
SQLException.class,
() -> userStmt.execute("INSERT INTO root.a(timestamp, b) VALUES
(1,100)"));
// grant privilege to query
Assert.assertThrows(SQLException.class, () -> userStmt.execute("SELECT
* from root.a"));
- adminStmt.execute("GRANT USER tempuser PRIVILEGES READ_DATA on
root.**");
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES READ_TIMESERIES on
root.**");
ResultSet resultSet = userStmt.executeQuery("SELECT * from root.a");
resultSet.close();
resultSet = userStmt.executeQuery("SELECT LAST b from root.a");
resultSet.close();
// revoke privilege to query
- adminStmt.execute("REVOKE USER tempuser PRIVILEGES READ_DATA on
root.**");
+ adminStmt.execute("REVOKE USER tempuser PRIVILEGES READ_TIMESERIES on
root.**");
Assert.assertThrows(SQLException.class, () -> userStmt.execute("SELECT
* from root.a"));
}
}
@@ -362,7 +366,7 @@ public class IoTDBAuthIT {
adminStmt.execute("CREATE ROLE admin");
adminStmt.execute(
- "GRANT ROLE admin PRIVILEGES
MANAGE_DATABASE,WRITE_SCHEMA,READ_DATA,WRITE_DATA on root.**");
+ "GRANT ROLE admin PRIVILEGES
CREATE_DATABASE,CREATE_TIMESERIES,DELETE_TIMESERIES,READ_TIMESERIES,INSERT_TIMESERIES
on root.**");
adminStmt.execute("GRANT admin TO tempuser");
userStmt.execute("CREATE DATABASE root.a");
@@ -373,8 +377,13 @@ public class IoTDBAuthIT {
ResultSet resultSet = userStmt.executeQuery("SELECT * FROM root.**");
resultSet.close();
- adminStmt.execute("REVOKE ROLE admin PRIVILEGES
MANAGE_DATABASE,WRITE_SCHEMA on root.**");
- adminStmt.execute("GRANT USER tempuser PRIVILEGES READ_DATA on
root.**");
+ adminStmt.execute("REVOKE ROLE admin PRIVILEGES DELETE_TIMESERIES on
root.**");
+
+ Assert.assertThrows(
+ SQLException.class,
+ () -> userStmt.execute("DELETE FROM root.* WHERE TIME <=
1000000000"));
+
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES READ_TIMESERIES on
root.**");
adminStmt.execute("REVOKE admin FROM tempuser");
resultSet = userStmt.executeQuery("SELECT * FROM root.**");
resultSet.close();
@@ -485,35 +494,37 @@ public class IoTDBAuthIT {
try {
adminStmt.execute("CREATE USER user1 'password1'");
- adminStmt.execute("GRANT USER user1 PRIVILEGES READ_SCHEMA ON root.a.b");
+ adminStmt.execute("GRANT USER user1 PRIVILEGES READ_TIMESERIES ON
root.a.b");
adminStmt.execute("CREATE ROLE role1");
- adminStmt.execute("GRANT ROLE role1 PRIVILEGES READ_SCHEMA,WRITE_DATA ON
root.a.b.c");
- adminStmt.execute("GRANT ROLE role1 PRIVILEGES READ_SCHEMA,WRITE_DATA ON
root.d.b.c");
+ adminStmt.execute(
+ "GRANT ROLE role1 PRIVILEGES
READ_TIMESERIES,INSERT_TIMESERIES,DELETE_TIMESERIES ON root.a.b.c");
+ adminStmt.execute(
+ "GRANT ROLE role1 PRIVILEGES
READ_TIMESERIES,INSERT_TIMESERIES,DELETE_TIMESERIES ON root.d.b.c");
adminStmt.execute("GRANT role1 TO user1");
ResultSet resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER
user1");
String ans =
- ",root.a.b : READ_SCHEMA"
+ ",root.a.b : READ_TIMESERIES"
+ ",\n"
- + "role1,root.a.b.c : READ_DATA WRITE_DATA READ_SCHEMA"
+ + "role1,root.a.b.c : INSERT_TIMESERIES READ_TIMESERIES
DELETE_TIMESERIES"
+ ",\n"
- + "role1,root.d.b.c : READ_DATA WRITE_DATA READ_SCHEMA"
+ + "role1,root.d.b.c : INSERT_TIMESERIES READ_TIMESERIES
DELETE_TIMESERIES"
+ ",\n";
try {
validateResultSet(resultSet, ans);
resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1 ON
root.a.b.c");
- ans = "role1,root.a.b.c : READ_DATA WRITE_DATA READ_SCHEMA,\n";
+ ans = "role1,root.a.b.c : INSERT_TIMESERIES READ_TIMESERIES
DELETE_TIMESERIES,\n";
validateResultSet(resultSet, ans);
adminStmt.execute("REVOKE role1 from user1");
resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1");
- ans = ",root.a.b : READ_SCHEMA,\n";
+ ans = ",root.a.b : READ_TIMESERIES,\n";
validateResultSet(resultSet, ans);
resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1 ON
root.a.**");
- ans = ",root.a.b : READ_SCHEMA,\n";
+ ans = ",root.a.b : READ_TIMESERIES,\n";
validateResultSet(resultSet, ans);
} finally {
resultSet.close();
@@ -537,26 +548,31 @@ public class IoTDBAuthIT {
// not granted list role privilege, should return empty
validateResultSet(resultSet, ans);
- adminStmt.execute("GRANT ROLE role1 PRIVILEGES READ_SCHEMA,WRITE_DATA
ON root.a.b.c");
- adminStmt.execute("GRANT ROLE role1 PRIVILEGES READ_SCHEMA,WRITE_DATA
ON root.d.b.c");
+ adminStmt.execute(
+ "GRANT ROLE role1 PRIVILEGES
READ_TIMESERIES,INSERT_TIMESERIES,DELETE_TIMESERIES ON root.a.b.c");
+ adminStmt.execute(
+ "GRANT ROLE role1 PRIVILEGES
READ_TIMESERIES,INSERT_TIMESERIES,DELETE_TIMESERIES ON root.d.b.c");
resultSet = adminStmt.executeQuery("LIST PRIVILEGES ROLE role1");
ans =
- "root.a.b.c : READ_DATA WRITE_DATA READ_SCHEMA,\n"
- + "root.d.b.c : READ_DATA WRITE_DATA READ_SCHEMA,\n";
+ "root.a.b.c : INSERT_TIMESERIES READ_TIMESERIES
DELETE_TIMESERIES,\n"
+ + "root.d.b.c : INSERT_TIMESERIES READ_TIMESERIES
DELETE_TIMESERIES,\n";
validateResultSet(resultSet, ans);
resultSet = adminStmt.executeQuery("LIST PRIVILEGES ROLE role1 ON
root.a.b.c");
- ans = "root.a.b.c : READ_DATA WRITE_DATA READ_SCHEMA,\n";
+ ans = "root.a.b.c : INSERT_TIMESERIES READ_TIMESERIES
DELETE_TIMESERIES,\n";
validateResultSet(resultSet, ans);
- adminStmt.execute("REVOKE ROLE role1 PRIVILEGES READ_SCHEMA,WRITE_DATA
ON root.a.b.c");
+ adminStmt.execute(
+ "REVOKE ROLE role1 PRIVILEGES INSERT_TIMESERIES,DELETE_TIMESERIES
ON root.a.b.c");
resultSet = adminStmt.executeQuery("LIST PRIVILEGES ROLE role1");
- ans = "root.d.b.c : READ_DATA WRITE_DATA READ_SCHEMA,\n";
+ ans =
+ "root.a.b.c : READ_TIMESERIES,\n"
+ + "root.d.b.c : INSERT_TIMESERIES READ_TIMESERIES
DELETE_TIMESERIES,\n";
validateResultSet(resultSet, ans);
resultSet = adminStmt.executeQuery("LIST PRIVILEGES ROLE role1 ON
root.a.b.c");
- ans = "";
+ ans = "root.a.b.c : READ_TIMESERIES,\n";
validateResultSet(resultSet, ans);
} finally {
resultSet.close();
@@ -635,10 +651,10 @@ public class IoTDBAuthIT {
};
for (int i = 0; i < members.length - 1; i++) {
- adminStmt.execute("CREATE USER " + members[i] + " 'a666666'");
+ adminStmt.execute("CREATE USER " + members[i] + " '666666'");
adminStmt.execute("GRANT dalao TO " + members[i]);
}
- adminStmt.execute("CREATE USER RiverSky 'a2333333'");
+ adminStmt.execute("CREATE USER RiverSky '2333333'");
adminStmt.execute("GRANT zhazha TO RiverSky");
ResultSet resultSet = adminStmt.executeQuery("LIST USER OF ROLE dalao");
@@ -718,7 +734,7 @@ public class IoTDBAuthIT {
try {
Assert.assertThrows(SQLException.class, () -> userStmt.execute("LIST
USER"));
// with list user privilege
- adminStmt.execute("GRANT USER tempuser PRIVILEGES MANAGE_USER on
root.**");
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES LIST_USER on
root.**");
ResultSet resultSet = userStmt.executeQuery("LIST USER");
String ans =
"root,\n"
@@ -761,7 +777,7 @@ public class IoTDBAuthIT {
try (Connection adminCon = EnvFactory.getEnv().getConnection();
Statement adminStmt = adminCon.createStatement()) {
adminStmt.execute("CREATE USER tempuser 'temppw'");
- adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_DATA on
root.sg1.**");
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES INSERT_TIMESERIES on
root.sg1.**");
try (Connection userCon = EnvFactory.getEnv().getConnection("tempuser",
"temppw");
Statement userStatement = userCon.createStatement()) {
@@ -798,7 +814,8 @@ public class IoTDBAuthIT {
Statement adminStatement = adminConnection.createStatement()) {
adminStatement.execute("CREATE USER a_application 'a_application'");
adminStatement.execute("CREATE ROLE application_role");
- adminStatement.execute("GRANT ROLE application_role PRIVILEGES READ_DATA
ON root.test.**");
+ adminStatement.execute(
+ "GRANT ROLE application_role PRIVILEGES READ_TIMESERIES ON
root.test.**");
adminStatement.execute("GRANT application_role TO a_application");
adminStatement.execute("INSERT INTO root.test(time, s1, s2, s3)
VALUES(1, 2, 3, 4)");
@@ -822,7 +839,8 @@ public class IoTDBAuthIT {
adminStatement.execute("CREATE USER user01 'pass1234'");
adminStatement.execute("CREATE USER user02 'pass1234'");
adminStatement.execute("CREATE ROLE manager");
- adminStatement.execute("GRANT USER user01 PRIVILEGES GRANT_PRIVILEGE on
root.**");
+ adminStatement.execute("GRANT USER user01 PRIVILEGES GRANT_USER_ROLE on
root.**");
+ adminStatement.execute("GRANT USER user01 PRIVILEGES REVOKE_USER_ROLE on
root.**");
}
try (Connection userCon = EnvFactory.getEnv().getConnection("user01",
"pass1234");
diff --git
a/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBSyntaxConventionIdentifierIT.java
b/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBSyntaxConventionIdentifierIT.java
index 54cde136ec8..132acdcb51d 100644
---
a/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBSyntaxConventionIdentifierIT.java
+++
b/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBSyntaxConventionIdentifierIT.java
@@ -603,10 +603,32 @@ public class IoTDBSyntaxConventionIdentifierIT {
public void testUserName() {
try (Connection connection = EnvFactory.getEnv().getConnection();
Statement statement = connection.createStatement()) {
- String[] userNames = new String[] {"userid", "userid0", "user_id",
"user0id", "`a22233`"};
+ String[] userNames =
+ new String[] {
+ "userid",
+ "userid0",
+ "user_id",
+ "user0id",
+ "`22233`",
+ "`userab!`",
+ "`user'ab'`",
+ "`usera.b`",
+ "`usera``b`"
+ };
String[] resultNames =
- new String[] {"root", "userid", "userid0", "user_id", "user0id",
"a22233"};
+ new String[] {
+ "root",
+ "userid",
+ "userid0",
+ "user_id",
+ "user0id",
+ "22233",
+ "userab!",
+ "user'ab'",
+ "usera.b",
+ "usera`b"
+ };
String createUsersSql = "create user %s 'pwd123' ";
for (String userName : userNames) {
@@ -668,9 +690,31 @@ public class IoTDBSyntaxConventionIdentifierIT {
public void testRoleName() {
try (Connection connection = EnvFactory.getEnv().getConnection();
Statement statement = connection.createStatement()) {
- String[] roleNames = new String[] {"roleid", "roleid0", "role_id",
"role0id", "`a22233`"};
+ String[] roleNames =
+ new String[] {
+ "roleid",
+ "roleid0",
+ "role_id",
+ "role0id",
+ "`22233`",
+ "`roleab!`",
+ "`role'ab'`",
+ "`rolea.b`",
+ "`rolea``b`"
+ };
- String[] resultNames = new String[] {"roleid", "roleid0", "role_id",
"role0id", "a22233"};
+ String[] resultNames =
+ new String[] {
+ "roleid",
+ "roleid0",
+ "role_id",
+ "role0id",
+ "22233",
+ "roleab!",
+ "role'ab'",
+ "rolea.b",
+ "rolea`b"
+ };
String createRolesSql = "create role %s";
for (String roleName : roleNames) {
statement.execute(String.format(createRolesSql, roleName));
diff --git
a/integration-test/src/test/java/org/apache/iotdb/db/it/cq/IoTDBCQIT.java
b/integration-test/src/test/java/org/apache/iotdb/db/it/cq/IoTDBCQIT.java
index 1b858d70dd8..dc2254149e8 100644
--- a/integration-test/src/test/java/org/apache/iotdb/db/it/cq/IoTDBCQIT.java
+++ b/integration-test/src/test/java/org/apache/iotdb/db/it/cq/IoTDBCQIT.java
@@ -541,11 +541,11 @@ public class IoTDBCQIT {
} catch (Exception e) {
assertEquals(
TSStatusCode.NO_PERMISSION.getStatusCode()
- + ": No permissions for this operation, please add privilege
USE_CQ",
+ + ": No permissions for this operation, please add privilege
SHOW_CONTINUOUS_QUERIES",
e.getMessage());
}
- statement.execute("GRANT USER `zmty` PRIVILEGES USE_CQ");
+ statement.execute("GRANT USER `zmty` PRIVILEGES
SHOW_CONTINUOUS_QUERIES");
try (ResultSet resultSet = statement2.executeQuery("show CQS")) {
diff --git
a/integration-test/src/test/java/org/apache/iotdb/db/it/selectinto/IoTDBSelectIntoIT.java
b/integration-test/src/test/java/org/apache/iotdb/db/it/selectinto/IoTDBSelectIntoIT.java
index 16b0ca64fe0..917949ab266 100644
---
a/integration-test/src/test/java/org/apache/iotdb/db/it/selectinto/IoTDBSelectIntoIT.java
+++
b/integration-test/src/test/java/org/apache/iotdb/db/it/selectinto/IoTDBSelectIntoIT.java
@@ -551,7 +551,7 @@ public class IoTDBSelectIntoIT {
try (Connection adminCon = EnvFactory.getEnv().getConnection();
Statement adminStmt = adminCon.createStatement()) {
adminStmt.execute("CREATE USER tempuser1 'temppw1'");
- adminStmt.execute("GRANT USER tempuser1 PRIVILEGES WRITE_DATA on
root.sg_bk.**;");
+ adminStmt.execute("GRANT USER tempuser1 PRIVILEGES INSERT_TIMESERIES on
root.sg_bk.**;");
try (Connection userCon = EnvFactory.getEnv().getConnection("tempuser1",
"temppw1");
Statement userStmt = userCon.createStatement()) {
@@ -562,7 +562,8 @@ public class IoTDBSelectIntoIT {
Assert.assertTrue(
e.getMessage(),
e.getMessage()
- .contains("No permissions for this operation, please add
privilege READ_DATA"));
+ .contains(
+ "No permissions for this operation, please add privilege
READ_TIMESERIES"));
}
}
}
@@ -572,7 +573,7 @@ public class IoTDBSelectIntoIT {
try (Connection adminCon = EnvFactory.getEnv().getConnection();
Statement adminStmt = adminCon.createStatement()) {
adminStmt.execute("CREATE USER tempuser2 'temppw2'");
- adminStmt.execute("GRANT USER tempuser2 PRIVILEGES WRITE_DATA on
root.sg.**;");
+ adminStmt.execute("GRANT USER tempuser2 PRIVILEGES READ_TIMESERIES on
root.sg.**;");
try (Connection userCon = EnvFactory.getEnv().getConnection("tempuser2",
"temppw2");
Statement userStmt = userCon.createStatement()) {
@@ -583,7 +584,8 @@ public class IoTDBSelectIntoIT {
Assert.assertTrue(
e.getMessage(),
e.getMessage()
- .contains("No permissions for this operation, please add
privilege WRITE_DATA"));
+ .contains(
+ "No permissions for this operation, please add privilege
INSERT_TIMESERIES"));
}
}
}
diff --git
a/integration-test/src/test/java/org/apache/iotdb/db/it/trigger/IoTDBTriggerManagementIT.java
b/integration-test/src/test/java/org/apache/iotdb/db/it/trigger/IoTDBTriggerManagementIT.java
index 8b04523b6b8..00a2530d8ca 100644
---
a/integration-test/src/test/java/org/apache/iotdb/db/it/trigger/IoTDBTriggerManagementIT.java
+++
b/integration-test/src/test/java/org/apache/iotdb/db/it/trigger/IoTDBTriggerManagementIT.java
@@ -546,11 +546,11 @@ public class IoTDBTriggerManagementIT {
} catch (Exception e) {
assertEquals(
TSStatusCode.NO_PERMISSION.getStatusCode()
- + ": No permissions for this operation, please add privilege
USE_TRIGGER",
+ + ": No permissions for this operation, please add privilege
CREATE_TRIGGER",
e.getMessage());
}
- statement.execute("GRANT USER `zmty` PRIVILEGES USE_TRIGGER on
root.test.stateless.a");
+ statement.execute("GRANT USER `zmty` PRIVILEGES CREATE_TRIGGER on
root.test.stateless.a");
try {
statement2.execute(
@@ -576,7 +576,7 @@ public class IoTDBTriggerManagementIT {
} catch (Exception e) {
assertEquals(
TSStatusCode.NO_PERMISSION.getStatusCode()
- + ": No permissions for this operation, please add privilege
USE_TRIGGER",
+ + ": No permissions for this operation, please add privilege
CREATE_TRIGGER",
e.getMessage());
}
}
@@ -608,11 +608,11 @@ public class IoTDBTriggerManagementIT {
} catch (Exception e) {
assertEquals(
TSStatusCode.NO_PERMISSION.getStatusCode()
- + ": No permissions for this operation, please add privilege
USE_TRIGGER",
+ + ": No permissions for this operation, please add privilege
DROP_TRIGGER",
e.getMessage());
}
- statement.execute("GRANT USER `zmty` PRIVILEGES USE_TRIGGER on
root.test.stateless.b");
+ statement.execute("GRANT USER `zmty` PRIVILEGES CREATE_TRIGGER on
root.test.stateless.b");
try {
statement2.execute("drop trigger " +
STATELESS_TRIGGER_BEFORE_INSERTION_PREFIX + "a");
@@ -620,11 +620,11 @@ public class IoTDBTriggerManagementIT {
} catch (Exception e) {
assertEquals(
TSStatusCode.NO_PERMISSION.getStatusCode()
- + ": No permissions for this operation, please add privilege
USE_TRIGGER",
+ + ": No permissions for this operation, please add privilege
DROP_TRIGGER",
e.getMessage());
}
- statement.execute("GRANT USER `zmty` PRIVILEGES USE_TRIGGER on
root.test.stateless.a");
+ statement.execute("GRANT USER `zmty` PRIVILEGES DROP_TRIGGER on
root.test.stateless.a");
try {
statement2.execute("drop trigger " +
STATELESS_TRIGGER_BEFORE_INSERTION_PREFIX + "a");
diff --git
a/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/IoTDBSqlParser.g4
b/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/IoTDBSqlParser.g4
index c9d66ee181e..c26fe66aa5b 100644
---
a/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/IoTDBSqlParser.g4
+++
b/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/IoTDBSqlParser.g4
@@ -910,8 +910,6 @@ privileges
privilegeValue
: ALL
- | READ
- | WRITE
| PRIVILEGE_VALUE
;
diff --git
a/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4
b/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4
index 0d66cbc8033..ed4d8884943 100644
--- a/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4
+++ b/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4
@@ -61,14 +61,6 @@ ALL
: A L L
;
-READ
- : R E A D
- ;
-
-WRITE
- : W R I T E
- ;
-
ALTER
: A L T E R
;
@@ -905,70 +897,140 @@ ELSE
// Privileges Keywords
PRIVILEGE_VALUE
- : READ_DATA
- | WRITE_DATA
- | READ_SCHEMA
- | WRITE_SCHEMA
- | MANAGE_USER
- | MANAGE_ROLE
- | GRANT_PRIVILEGE
- | ALTER_PASSWORD
- | USE_TRIGGER
- | USE_CQ
- | USE_PIPE
- | MANAGE_DATABASE
+ : SET_STORAGE_GROUP | DELETE_STORAGE_GROUP | CREATE_DATABASE |
DELETE_DATABASE
+ | CREATE_TIMESERIES | INSERT_TIMESERIES | READ_TIMESERIES |
DELETE_TIMESERIES | ALTER_TIMESERIES
+ | CREATE_USER | DELETE_USER | MODIFY_PASSWORD | LIST_USER
+ | GRANT_USER_PRIVILEGE | REVOKE_USER_PRIVILEGE | GRANT_USER_ROLE |
REVOKE_USER_ROLE
+ | CREATE_ROLE | DELETE_ROLE | LIST_ROLE | GRANT_ROLE_PRIVILEGE |
REVOKE_ROLE_PRIVILEGE
+ | CREATE_FUNCTION | DROP_FUNCTION | CREATE_TRIGGER | DROP_TRIGGER |
START_TRIGGER | STOP_TRIGGER
+ | CREATE_CONTINUOUS_QUERY | DROP_CONTINUOUS_QUERY | SHOW_CONTINUOUS_QUERIES
+ | APPLY_TEMPLATE | UPDATE_TEMPLATE | READ_TEMPLATE |
READ_TEMPLATE_APPLICATION
+ | CREATE_PIPEPLUGIN | DROP_PIPEPLUGIN | SHOW_PIPEPLUGINS | CREATE_PIPE |
START_PIPE | STOP_PIPE | DROP_PIPE | SHOW_PIPES
+ | CREATE_VIEW | ALTER_VIEW | RENAME_VIEW | DELETE_VIEW
+ ;
+
+SET_STORAGE_GROUP
+ : S E T '_' S T O R A G E '_' G R O U P
;
-READ_DATA
- : R E A D '_' D A T A
+DELETE_STORAGE_GROUP
+ : D E L E T E '_' S T O R A G E '_' G R O U P
;
-WRITE_DATA
- : W R I T E '_' D A T A
+CREATE_DATABASE
+ : C R E A T E '_' D A T A B A S E
;
-READ_SCHEMA
- : R E A D '_' S C H E M A
+DELETE_DATABASE
+ : D E L E T E '_' D A T A B A S E
;
-WRITE_SCHEMA
- : W R I T E '_' S C H E M A
+CREATE_TIMESERIES
+ : C R E A T E '_' T I M E S E R I E S
;
-MANAGE_USER
- : M A N A G E '_' U S E R
+INSERT_TIMESERIES
+ : I N S E R T '_' T I M E S E R I E S
;
-MANAGE_ROLE
- : M A N A G E '_' R O L E
+READ_TIMESERIES
+ : R E A D '_' T I M E S E R I E S
;
-GRANT_PRIVILEGE
- : G R A N T '_' P R I V I L E G E
+DELETE_TIMESERIES
+ : D E L E T E '_' T I M E S E R I E S
;
-ALTER_PASSWORD
- : A L T E R '_' P A S S W O R D
+ALTER_TIMESERIES
+ : A L T E R '_' T I M E S E R I E S
;
-USE_TRIGGER
- : U S E '_' T R I G G E R
+CREATE_USER
+ : C R E A T E '_' U S E R
;
-USE_CQ
- : U S E '_' C Q
+DELETE_USER
+ : D E L E T E '_' U S E R
;
-USE_PIPE
- : U S E '_' P I P E
+MODIFY_PASSWORD
+ : M O D I F Y '_' P A S S W O R D
;
-MANAGE_DATABASE
- : M A N A G E '_' D A T A B A S E
+LIST_USER
+ : L I S T '_' U S E R
;
-SET_STORAGE_GROUP
- : S E T '_' S T O R A G E '_' G R O U P
+GRANT_USER_PRIVILEGE
+ : G R A N T '_' U S E R '_' P R I V I L E G E
+ ;
+
+REVOKE_USER_PRIVILEGE
+ : R E V O K E '_' U S E R '_' P R I V I L E G E
+ ;
+
+GRANT_USER_ROLE
+ : G R A N T '_' U S E R '_' R O L E
+ ;
+
+REVOKE_USER_ROLE
+ : R E V O K E '_' U S E R '_' R O L E
+ ;
+
+CREATE_ROLE
+ : C R E A T E '_' R O L E
+ ;
+
+DELETE_ROLE
+ : D E L E T E '_' R O L E
+ ;
+
+LIST_ROLE
+ : L I S T '_' R O L E
+ ;
+
+GRANT_ROLE_PRIVILEGE
+ : G R A N T '_' R O L E '_' P R I V I L E G E
+ ;
+
+REVOKE_ROLE_PRIVILEGE
+ : R E V O K E '_' R O L E '_' P R I V I L E G E
+ ;
+
+CREATE_FUNCTION
+ : C R E A T E '_' F U N C T I O N
+ ;
+
+DROP_FUNCTION
+ : D R O P '_' F U N C T I O N
+ ;
+
+CREATE_TRIGGER
+ : C R E A T E '_' T R I G G E R
+ ;
+
+DROP_TRIGGER
+ : D R O P '_' T R I G G E R
+ ;
+
+START_TRIGGER
+ : S T A R T '_' T R I G G E R
+ ;
+
+STOP_TRIGGER
+ : S T O P '_' T R I G G E R
+ ;
+
+CREATE_CONTINUOUS_QUERY
+ : C R E A T E '_' C O N T I N U O U S '_' Q U E R Y
+ ;
+
+DROP_CONTINUOUS_QUERY
+ : D R O P '_' C O N T I N U O U S '_' Q U E R Y
+ ;
+
+SHOW_CONTINUOUS_QUERIES
+ : S H O W '_' C O N T I N U O U S '_' Q U E R I E S
;
SCHEMA_REPLICATION_FACTOR
@@ -991,6 +1053,69 @@ DATA_REGION_GROUP_NUM
: D A T A '_' R E G I O N '_' G R O U P '_' N U M
;
+APPLY_TEMPLATE
+ : A P P L Y '_' T E M P L A T E
+ ;
+
+UPDATE_TEMPLATE
+ : U P D A T E '_' T E M P L A T E
+ ;
+
+READ_TEMPLATE
+ : R E A D '_' T E M P L A T E
+ ;
+
+READ_TEMPLATE_APPLICATION
+ : R E A D '_' T E M P L A T E '_' A P P L I C A T I O N
+ ;
+
+CREATE_PIPEPLUGIN
+ : C R E A T E '_' P I P E P L U G I N
+ ;
+
+DROP_PIPEPLUGIN
+ : D R O P '_' P I P E P L U G I N
+ ;
+
+SHOW_PIPEPLUGINS
+ : S H O W '_' P I P E P L U G I N S
+ ;
+CREATE_PIPE
+ : C R E A T E '_' P I P E
+ ;
+
+START_PIPE
+ : S T A R T '_' P I P E
+ ;
+
+STOP_PIPE
+ : S T O P '_' P I P E
+ ;
+
+DROP_PIPE
+ : D R O P '_' P I P E
+ ;
+
+SHOW_PIPES
+ : S H O W '_' P I P E S
+ ;
+
+CREATE_VIEW
+ : C R E A T E '_' V I E W
+ ;
+
+ALTER_VIEW
+ : A L T E R '_' V I E W
+ ;
+
+RENAME_VIEW
+ : R E N A M E '_' V I E W
+ ;
+
+DELETE_VIEW
+ : D E L E T E '_' V I E W
+ ;
+
/**
* 3. Operators
*/
diff --git
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/AuthorInfo.java
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/AuthorInfo.java
index 22b04d9cc0d..2c1ce580110 100644
---
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/AuthorInfo.java
+++
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/AuthorInfo.java
@@ -314,7 +314,7 @@ public class AuthorInfo implements SnapshotProcessor {
List<String> userPrivilegesList = new ArrayList<>();
if (IoTDBConstant.PATH_ROOT.equals(plan.getUserName())) {
- for (PrivilegeType privilegeType :
PrivilegeType.ALL.getStorablePrivilege()) {
+ for (PrivilegeType privilegeType : PrivilegeType.values()) {
userPrivilegesList.add(privilegeType.toString());
}
} else {
diff --git
a/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/consensus/request/ConfigPhysicalPlanSerDeTest.java
b/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/consensus/request/ConfigPhysicalPlanSerDeTest.java
index f30d46dd117..b09b65d5085 100644
---
a/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/consensus/request/ConfigPhysicalPlanSerDeTest.java
+++
b/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/consensus/request/ConfigPhysicalPlanSerDeTest.java
@@ -540,7 +540,8 @@ public class ConfigPhysicalPlanSerDeTest {
AuthorPlan req0;
AuthorPlan req1;
Set<Integer> permissions = new HashSet<>();
- permissions.add(PrivilegeType.GRANT_PRIVILEGE.ordinal());
+ permissions.add(PrivilegeType.GRANT_USER_PRIVILEGE.ordinal());
+ permissions.add(PrivilegeType.REVOKE_USER_ROLE.ordinal());
// create user
req0 =
diff --git
a/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java
b/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java
index 04412c3a252..ff5b2f337a2 100644
---
a/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java
+++
b/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java
@@ -89,13 +89,16 @@ public class AuthorInfoTest {
TCheckUserPrivilegesReq checkUserPrivilegesReq;
Set<Integer> privilegeList = new HashSet<>();
- privilegeList.add(PrivilegeType.MANAGE_USER.ordinal());
+ privilegeList.add(PrivilegeType.DELETE_USER.ordinal());
+ privilegeList.add(PrivilegeType.CREATE_USER.ordinal());
Set<Integer> revokePrivilege = new HashSet<>();
- revokePrivilege.add(PrivilegeType.MANAGE_USER.ordinal());
+ revokePrivilege.add(PrivilegeType.DELETE_USER.ordinal());
+ Map<String, List<String>> permissionInfo;
List<String> privilege = new ArrayList<>();
- privilege.add("root.** : MANAGE_USER");
+ privilege.add("root.** : CREATE_USER");
+ privilege.add("root.** : CREATE_USER");
List<PartialPath> paths = new ArrayList<>();
paths.add(new PartialPath("root.ln"));
@@ -122,7 +125,7 @@ public class AuthorInfoTest {
// check user privileges
status =
authorInfo
- .checkUserPrivileges("user0", paths,
PrivilegeType.MANAGE_USER.ordinal())
+ .checkUserPrivileges("user0", paths,
PrivilegeType.DELETE_USER.ordinal())
.getStatus();
Assert.assertEquals(TSStatusCode.NO_PERMISSION.getStatusCode(),
status.getCode());
@@ -215,7 +218,7 @@ public class AuthorInfoTest {
// check user privileges
status =
authorInfo
- .checkUserPrivileges("user0", paths,
PrivilegeType.MANAGE_USER.ordinal())
+ .checkUserPrivileges("user0", paths,
PrivilegeType.DELETE_USER.ordinal())
.getStatus();
Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
@@ -282,7 +285,6 @@ public class AuthorInfoTest {
permissionInfoResp = authorInfo.executeListUserPrivileges(authorPlan);
status = permissionInfoResp.getStatus();
Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- privilege.remove(0);
Assert.assertEquals(
privilege,
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE));
@@ -315,6 +317,7 @@ public class AuthorInfoTest {
permissionInfoResp = authorInfo.executeListRolePrivileges(authorPlan);
status = permissionInfoResp.getStatus();
Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
+ privilege.remove(0);
Assert.assertEquals(
0,
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE).size());
@@ -411,12 +414,10 @@ public class AuthorInfoTest {
permissionInfoResp = authorInfo.executeListUserPrivileges(authorPlan);
status = permissionInfoResp.getStatus();
Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
- Set<PrivilegeType> allPrivilegeTypes =
PrivilegeType.ALL.getStorablePrivilege();
- List<String> resultPrivilegeTypes =
-
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE);
- Assert.assertEquals(allPrivilegeTypes.size(), resultPrivilegeTypes.size());
- for (int i = 0; i < allPrivilegeTypes.size(); i++) {
-
Assert.assertTrue(resultPrivilegeTypes.contains(PrivilegeType.values()[i].toString()));
+ for (int i = 0; i < PrivilegeType.values().length; i++) {
+ Assert.assertEquals(
+ PrivilegeType.values()[i].toString(),
+
permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE).get(i));
}
}
@@ -512,18 +513,18 @@ public class AuthorInfoTest {
AuthorPlan authorPlan;
Set<Integer> privilegeList = new HashSet<>();
- privilegeList.add(PrivilegeType.WRITE_DATA.ordinal());
- privilegeList.add(PrivilegeType.READ_DATA.ordinal());
+ privilegeList.add(PrivilegeType.INSERT_TIMESERIES.ordinal());
+ privilegeList.add(PrivilegeType.READ_TIMESERIES.ordinal());
Map<String, List<String>> permissionInfo;
List<String> userPrivilege = new ArrayList<>();
- userPrivilege.add("root.sg.** : READ_DATA WRITE_DATA");
- userPrivilege.add("root.ln.** : READ_DATA WRITE_DATA");
+ userPrivilege.add("root.sg.** : INSERT_TIMESERIES READ_TIMESERIES");
+ userPrivilege.add("root.ln.** : INSERT_TIMESERIES READ_TIMESERIES");
Collections.sort(userPrivilege);
List<String> rolePrivilege = new ArrayList<>();
- rolePrivilege.add("root.abc.** : READ_DATA WRITE_DATA");
- rolePrivilege.add("root.role_1.** : READ_DATA WRITE_DATA");
+ rolePrivilege.add("root.abc.** : INSERT_TIMESERIES READ_TIMESERIES");
+ rolePrivilege.add("root.role_1.** : INSERT_TIMESERIES READ_TIMESERIES");
Collections.sort(rolePrivilege);
List<String> allPrivilege = new ArrayList<>();
@@ -578,7 +579,7 @@ public class AuthorInfoTest {
// check user privileges
status =
authorInfo
- .checkUserPrivileges("user0", userPaths,
PrivilegeType.WRITE_DATA.ordinal())
+ .checkUserPrivileges("user0", userPaths,
PrivilegeType.INSERT_TIMESERIES.ordinal())
.getStatus();
Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(),
status.getCode());
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
index a7feb9966c8..674f09d2bb1 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
@@ -75,7 +75,7 @@ public class AuthorityChecker {
int permission = translateToPermissionId(type);
if (permission == -1) {
return false;
- } else if (permission == PrivilegeType.ALTER_PASSWORD.ordinal()
+ } else if (permission == PrivilegeType.MODIFY_PASSWORD.ordinal()
&& username.equals(targetUser)) {
// A user can modify his own password
return true;
@@ -152,32 +152,43 @@ public class AuthorityChecker {
private static int translateToPermissionId(StatementType type) {
switch (type) {
- case SHOW_SCHEMA_TEMPLATE:
- case SHOW_NODES_IN_SCHEMA_TEMPLATE:
- case SHOW_PATH_SET_SCHEMA_TEMPLATE:
- case SHOW_PATH_USING_SCHEMA_TEMPLATE:
- return PrivilegeType.READ_SCHEMA.ordinal();
+ case CREATE_ROLE:
+ return PrivilegeType.CREATE_ROLE.ordinal();
+ case CREATE_USER:
+ return PrivilegeType.CREATE_USER.ordinal();
+ case DELETE_USER:
+ return PrivilegeType.DELETE_USER.ordinal();
+ case DELETE_ROLE:
+ return PrivilegeType.DELETE_ROLE.ordinal();
+ case MODIFY_PASSWORD:
+ return PrivilegeType.MODIFY_PASSWORD.ordinal();
+ case GRANT_USER_PRIVILEGE:
+ return PrivilegeType.GRANT_USER_PRIVILEGE.ordinal();
+ case GRANT_ROLE_PRIVILEGE:
+ return PrivilegeType.GRANT_ROLE_PRIVILEGE.ordinal();
+ case REVOKE_USER_PRIVILEGE:
+ return PrivilegeType.REVOKE_USER_PRIVILEGE.ordinal();
+ case REVOKE_ROLE_PRIVILEGE:
+ return PrivilegeType.REVOKE_ROLE_PRIVILEGE.ordinal();
+ case GRANT_USER_ROLE:
+ return PrivilegeType.GRANT_USER_ROLE.ordinal();
+ case REVOKE_USER_ROLE:
+ return PrivilegeType.REVOKE_USER_ROLE.ordinal();
case STORAGE_GROUP_SCHEMA:
- case DELETE_STORAGE_GROUP:
- return PrivilegeType.MANAGE_DATABASE.ordinal();
case TTL:
+ return PrivilegeType.CREATE_DATABASE.ordinal();
+ case DELETE_STORAGE_GROUP:
+ return PrivilegeType.DELETE_DATABASE.ordinal();
case CREATE_TIMESERIES:
case CREATE_ALIGNED_TIMESERIES:
case CREATE_MULTI_TIMESERIES:
+ return PrivilegeType.CREATE_TIMESERIES.ordinal();
case DELETE_TIMESERIES:
+ case DELETE:
case DROP_INDEX:
+ return PrivilegeType.DELETE_TIMESERIES.ordinal();
case ALTER_TIMESERIES:
- case CREATE_TEMPLATE:
- case DROP_TEMPLATE:
- case SET_TEMPLATE:
- case ACTIVATE_TEMPLATE:
- case DEACTIVATE_TEMPLATE:
- case UNSET_TEMPLATE:
- case CREATE_LOGICAL_VIEW:
- case ALTER_LOGICAL_VIEW:
- case RENAME_LOGICAL_VIEW:
- case DELETE_LOGICAL_VIEW:
- return PrivilegeType.WRITE_SCHEMA.ordinal();
+ return PrivilegeType.ALTER_TIMESERIES.ordinal();
case SHOW:
case QUERY:
case GROUP_BY_TIME:
@@ -190,55 +201,75 @@ public class AuthorityChecker {
case GROUP_BY_FILL:
case SELECT_INTO:
case COUNT:
- case CREATE_FUNCTION:
- case DROP_FUNCTION:
- return PrivilegeType.READ_DATA.ordinal();
+ return PrivilegeType.READ_TIMESERIES.ordinal();
case INSERT:
- case DELETE:
case LOAD_DATA:
case CREATE_INDEX:
case BATCH_INSERT:
case BATCH_INSERT_ONE_DEVICE:
case BATCH_INSERT_ROWS:
case MULTI_BATCH_INSERT:
- return PrivilegeType.WRITE_DATA.ordinal();
- case CREATE_USER:
- case DELETE_USER:
- case LIST_USER:
- case LIST_USER_ROLES:
- case LIST_USER_PRIVILEGE:
- return PrivilegeType.MANAGE_USER.ordinal();
- case CREATE_ROLE:
- case DELETE_ROLE:
+ return PrivilegeType.INSERT_TIMESERIES.ordinal();
case LIST_ROLE:
case LIST_ROLE_USERS:
case LIST_ROLE_PRIVILEGE:
- return PrivilegeType.MANAGE_ROLE.ordinal();
- case MODIFY_PASSWORD:
- return PrivilegeType.ALTER_PASSWORD.ordinal();
- case GRANT_USER_PRIVILEGE:
- case REVOKE_USER_PRIVILEGE:
- case GRANT_ROLE_PRIVILEGE:
- case REVOKE_ROLE_PRIVILEGE:
- case GRANT_USER_ROLE:
- case REVOKE_USER_ROLE:
- return PrivilegeType.GRANT_PRIVILEGE.ordinal();
+ return PrivilegeType.LIST_ROLE.ordinal();
+ case LIST_USER:
+ case LIST_USER_ROLES:
+ case LIST_USER_PRIVILEGE:
+ return PrivilegeType.LIST_USER.ordinal();
+ case CREATE_FUNCTION:
+ return PrivilegeType.CREATE_FUNCTION.ordinal();
+ case DROP_FUNCTION:
+ return PrivilegeType.DROP_FUNCTION.ordinal();
case CREATE_TRIGGER:
+ return PrivilegeType.CREATE_TRIGGER.ordinal();
case DROP_TRIGGER:
- return PrivilegeType.USE_TRIGGER.ordinal();
+ return PrivilegeType.DROP_TRIGGER.ordinal();
case CREATE_CONTINUOUS_QUERY:
+ return PrivilegeType.CREATE_CONTINUOUS_QUERY.ordinal();
case DROP_CONTINUOUS_QUERY:
+ return PrivilegeType.DROP_CONTINUOUS_QUERY.ordinal();
+ case CREATE_TEMPLATE:
+ case DROP_TEMPLATE:
+ return PrivilegeType.UPDATE_TEMPLATE.ordinal();
+ case SET_TEMPLATE:
+ case ACTIVATE_TEMPLATE:
+ case DEACTIVATE_TEMPLATE:
+ case UNSET_TEMPLATE:
+ return PrivilegeType.APPLY_TEMPLATE.ordinal();
+ case SHOW_SCHEMA_TEMPLATE:
+ case SHOW_NODES_IN_SCHEMA_TEMPLATE:
+ return PrivilegeType.READ_TEMPLATE.ordinal();
+ case SHOW_PATH_SET_SCHEMA_TEMPLATE:
+ case SHOW_PATH_USING_SCHEMA_TEMPLATE:
+ return PrivilegeType.READ_TEMPLATE_APPLICATION.ordinal();
case SHOW_CONTINUOUS_QUERIES:
- return PrivilegeType.USE_CQ.ordinal();
+ return PrivilegeType.SHOW_CONTINUOUS_QUERIES.ordinal();
case CREATE_PIPEPLUGIN:
+ return PrivilegeType.CREATE_PIPEPLUGIN.ordinal();
case DROP_PIPEPLUGIN:
+ return PrivilegeType.DROP_PIPEPLUGIN.ordinal();
case SHOW_PIPEPLUGINS:
+ return PrivilegeType.SHOW_PIPEPLUGINS.ordinal();
case CREATE_PIPE:
+ return PrivilegeType.CREATE_PIPE.ordinal();
case START_PIPE:
+ return PrivilegeType.START_PIPE.ordinal();
case STOP_PIPE:
+ return PrivilegeType.STOP_PIPE.ordinal();
case DROP_PIPE:
+ return PrivilegeType.DROP_PIPE.ordinal();
case SHOW_PIPES:
- return PrivilegeType.USE_PIPE.ordinal();
+ return PrivilegeType.SHOW_PIPES.ordinal();
+ case CREATE_LOGICAL_VIEW:
+ return PrivilegeType.CREATE_VIEW.ordinal();
+ case ALTER_LOGICAL_VIEW:
+ return PrivilegeType.ALTER_VIEW.ordinal();
+ case RENAME_LOGICAL_VIEW:
+ return PrivilegeType.RENAME_VIEW.ordinal();
+ case DELETE_LOGICAL_VIEW:
+ return PrivilegeType.DELETE_VIEW.ordinal();
default:
logger.error("Unrecognizable operator type ({}) for
AuthorityChecker.", type);
return -1;
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java
index 255d26f8252..68056580beb 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java
@@ -303,15 +303,13 @@ public class ClusterAuthorityFetcher implements
IAuthorityFetcher {
*/
private PathPrivilege toPathPrivilege(PartialPath path, String privilege) {
PathPrivilege pathPrivilege = new PathPrivilege();
- pathPrivilege.setPath(path);
+ String[] privileges = privilege.replace(" ", "").split(",");
Set<Integer> privilegeIds = new HashSet<>();
- pathPrivilege.setPrivileges(privilegeIds);
- if (privilege.trim().length() != 0) {
- String[] privileges = privilege.replace(" ", "").split(",");
- for (String p : privileges) {
- privilegeIds.add(Integer.parseInt(p));
- }
+ for (String p : privileges) {
+ privilegeIds.add(Integer.parseInt(p));
}
+ pathPrivilege.setPrivileges(privilegeIds);
+ pathPrivilege.setPath(path);
return pathPrivilege;
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/parser/ASTVisitor.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/parser/ASTVisitor.java
index e3b27b0402e..1f49e916428 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/parser/ASTVisitor.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/parser/ASTVisitor.java
@@ -2267,6 +2267,12 @@ public class ASTVisitor extends
IoTDBSqlParserBaseVisitor<Statement> {
boolean pathRelevant = true;
String errorPrivilegeName = "";
for (String privilege : privileges) {
+ if ("SET_STORAGE_GROUP".equalsIgnoreCase(privilege)) {
+ privilege = PrivilegeType.CREATE_DATABASE.name();
+ }
+ if ("DELETE_STORAGE_GROUP".equalsIgnoreCase(privilege)) {
+ privilege = PrivilegeType.DELETE_DATABASE.name();
+ }
if (!PrivilegeType.valueOf(privilege.toUpperCase()).isPathRelevant()) {
pathRelevant = false;
errorPrivilegeName = privilege.toUpperCase();
diff --git
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/AuthorizerManagerTest.java
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/AuthorizerManagerTest.java
index 37f71925dbc..2fac0adae4d 100644
---
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/AuthorizerManagerTest.java
+++
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/AuthorizerManagerTest.java
@@ -54,8 +54,8 @@ public class AuthorizerManagerTest {
Set<Integer> privilegesIds = new HashSet<>();
PathPrivilege privilege = new PathPrivilege();
List<PathPrivilege> privilegeList = new ArrayList<>();
- privilegesIds.add(PrivilegeType.MANAGE_ROLE.ordinal());
- privilegesIds.add(PrivilegeType.GRANT_PRIVILEGE.ordinal());
+ privilegesIds.add(PrivilegeType.CREATE_ROLE.ordinal());
+ privilegesIds.add(PrivilegeType.REVOKE_USER_ROLE.ordinal());
privilege.setPath(new PartialPath("root.ln"));
privilege.setPrivileges(privilegesIds);
privilegeList.add(privilege);
@@ -108,7 +108,7 @@ public class AuthorizerManagerTest {
.checkUserPrivileges(
"user",
Collections.singletonList(new PartialPath("root.ln")),
- PrivilegeType.MANAGE_ROLE.ordinal())
+ PrivilegeType.CREATE_ROLE.ordinal())
.getCode());
// User does not have permission
Assert.assertEquals(
@@ -117,7 +117,7 @@ public class AuthorizerManagerTest {
.checkUserPrivileges(
"user",
Collections.singletonList(new PartialPath("root.ln")),
- PrivilegeType.MANAGE_USER.ordinal())
+ PrivilegeType.CREATE_USER.ordinal())
.getCode());
// Authenticate users with roles
@@ -153,7 +153,7 @@ public class AuthorizerManagerTest {
.checkUserPrivileges(
"user",
Collections.singletonList(new PartialPath("root.ln")),
- PrivilegeType.MANAGE_ROLE.ordinal())
+ PrivilegeType.CREATE_ROLE.ordinal())
.getCode());
// role does not have permission
Assert.assertEquals(
@@ -162,7 +162,7 @@ public class AuthorizerManagerTest {
.checkUserPrivileges(
"user",
Collections.singletonList(new PartialPath("root.ln")),
- PrivilegeType.MANAGE_USER.ordinal())
+ PrivilegeType.CREATE_USER.ordinal())
.getCode());
authorityFetcher.getAuthorCache().invalidateCache(user.getName(), "");
diff --git
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/LocalFileAuthorizerTest.java
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/LocalFileAuthorizerTest.java
index 8b532268ca5..fc659a02db0 100644
---
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/LocalFileAuthorizerTest.java
+++
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/LocalFileAuthorizerTest.java
@@ -97,7 +97,7 @@ public class LocalFileAuthorizerTest {
try {
authorizer.grantPrivilegeToUser(user.getName(), nodeName, 1);
} catch (AuthException e) {
- assertEquals("User user already has WRITE_DATA on root.laptop.d1",
e.getMessage());
+ assertEquals("User user already has INSERT_TIMESERIES on
root.laptop.d1", e.getMessage());
}
try {
authorizer.grantPrivilegeToUser("error", nodeName, 1);
@@ -122,7 +122,7 @@ public class LocalFileAuthorizerTest {
try {
authorizer.revokePrivilegeFromUser(user.getName(), nodeName, 1);
} catch (AuthException e) {
- assertEquals("User user does not have WRITE_DATA on root.laptop.d1",
e.getMessage());
+ assertEquals("User user does not have INSERT_TIMESERIES on
root.laptop.d1", e.getMessage());
}
try {
@@ -169,13 +169,13 @@ public class LocalFileAuthorizerTest {
try {
authorizer.grantPrivilegeToRole(roleName, nodeName, 1);
} catch (AuthException e) {
- assertEquals("Role role already has WRITE_DATA on root.laptop.d1",
e.getMessage());
+ assertEquals("Role role already has INSERT_TIMESERIES on
root.laptop.d1", e.getMessage());
}
authorizer.revokePrivilegeFromRole(roleName, nodeName, 1);
try {
authorizer.revokePrivilegeFromRole(roleName, nodeName, 1);
} catch (AuthException e) {
- assertEquals("Role role does not have WRITE_DATA on root.laptop.d1",
e.getMessage());
+ assertEquals("Role role does not have INSERT_TIMESERIES on
root.laptop.d1", e.getMessage());
}
authorizer.deleteRole(roleName);
try {
@@ -200,12 +200,10 @@ public class LocalFileAuthorizerTest {
// a user can get all role permissions.
Set<Integer> permissions = authorizer.getPrivileges(user.getName(),
nodeName);
- assertEquals(4, permissions.size());
- assertTrue(permissions.contains(0));
+ assertEquals(2, permissions.size());
assertTrue(permissions.contains(1));
- assertTrue(permissions.contains(2));
assertTrue(permissions.contains(3));
- assertFalse(permissions.contains(4));
+ assertFalse(permissions.contains(2));
try {
authorizer.grantRoleToUser(roleName, user.getName());
@@ -215,7 +213,7 @@ public class LocalFileAuthorizerTest {
// revoke a role from a user, the user will lose all role's permission
authorizer.revokeRoleFromUser(roleName, user.getName());
Set<Integer> revokeRolePermissions =
authorizer.getPrivileges(user.getName(), nodeName);
- assertEquals(2, revokeRolePermissions.size());
+ assertEquals(1, revokeRolePermissions.size());
assertTrue(revokeRolePermissions.contains(1));
assertFalse(revokeRolePermissions.contains(2));
diff --git
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/PathPrivilegeTest.java
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/PathPrivilegeTest.java
index 3a8e6ea4b9f..757f88da183 100644
---
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/PathPrivilegeTest.java
+++
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/PathPrivilegeTest.java
@@ -34,12 +34,12 @@ public class PathPrivilegeTest {
PathPrivilege pathPrivilege = new PathPrivilege();
pathPrivilege.setPath(new PartialPath("root.ln"));
pathPrivilege.setPrivileges(Collections.singleton(1));
- Assert.assertEquals("root.ln : WRITE_DATA", pathPrivilege.toString());
+ Assert.assertEquals("root.ln : INSERT_TIMESERIES",
pathPrivilege.toString());
PathPrivilege pathPrivilege1 = new PathPrivilege();
pathPrivilege1.setPath(new PartialPath("root.sg"));
pathPrivilege1.setPrivileges(Collections.singleton(1));
Assert.assertNotEquals(pathPrivilege, pathPrivilege1);
pathPrivilege.deserialize(pathPrivilege1.serialize());
- Assert.assertEquals("root.sg : WRITE_DATA", pathPrivilege.toString());
+ Assert.assertEquals("root.sg : INSERT_TIMESERIES",
pathPrivilege.toString());
}
}
diff --git
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/RoleTest.java
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/RoleTest.java
index e32d119df68..724b6097dee 100644
---
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/RoleTest.java
+++
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/RoleTest.java
@@ -36,10 +36,11 @@ public class RoleTest {
PathPrivilege pathPrivilege = new PathPrivilege(new
PartialPath("root.ln"));
role.setPrivilegeList(Collections.singletonList(pathPrivilege));
role.setPrivileges(new PartialPath("root.ln"), Collections.singleton(1));
- Assert.assertEquals("Role{name='role', privilegeList=[root.ln :
WRITE_DATA]}", role.toString());
+ Assert.assertEquals(
+ "Role{name='role', privilegeList=[root.ln : INSERT_TIMESERIES]}",
role.toString());
Role role1 = new Role("role1");
role1.deserialize(role.serialize());
Assert.assertEquals(
- "Role{name='role', privilegeList=[root.ln : WRITE_DATA]}",
role1.toString());
+ "Role{name='role', privilegeList=[root.ln : INSERT_TIMESERIES]}",
role1.toString());
}
}
diff --git
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/UserTest.java
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/UserTest.java
index c14ce60174a..467e1777e1c 100644
---
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/UserTest.java
+++
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/UserTest.java
@@ -37,14 +37,12 @@ public class UserTest {
user.setPrivilegeList(Collections.singletonList(pathPrivilege));
user.setPrivileges(new PartialPath("root.ln"), Collections.singleton(1));
Assert.assertEquals(
- "User{name='user', password='password', privilegeList=[root.ln :
WRITE_DATA], roleList=[], "
- + "isOpenIdUser=false, useWaterMark=false, lastActiveTime=0}",
+ "User{name='user', password='password', privilegeList=[root.ln :
INSERT_TIMESERIES], roleList=[], isOpenIdUser=false, useWaterMark=false,
lastActiveTime=0}",
user.toString());
User user1 = new User("user1", "password1");
user1.deserialize(user.serialize());
Assert.assertEquals(
- "User{name='user', password='password', privilegeList=[root.ln :
WRITE_DATA], roleList=[], "
- + "isOpenIdUser=false, useWaterMark=false, lastActiveTime=0}",
+ "User{name='user', password='password', privilegeList=[root.ln :
INSERT_TIMESERIES], roleList=[], isOpenIdUser=false, useWaterMark=false,
lastActiveTime=0}",
user1.toString());
}
}
diff --git
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/user/LocalFileUserManagerTest.java
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/user/LocalFileUserManagerTest.java
index a1ce4909901..a4ebb201539 100644
---
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/user/LocalFileUserManagerTest.java
+++
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/user/LocalFileUserManagerTest.java
@@ -65,13 +65,13 @@ public class LocalFileUserManagerTest {
public void testIllegalInput() throws AuthException {
// Password contains space
try {
- manager.createUser("username1", "password_ ", false);
+ manager.createUser("username1", "password_ ");
} catch (AuthException e) {
assertTrue(e.getMessage().contains("cannot contain spaces"));
}
// Username contains space
try {
- assertFalse(manager.createUser("username 2", "password_", false));
+ assertFalse(manager.createUser("username 2", "password_"));
} catch (AuthException e) {
assertTrue(e.getMessage().contains("cannot contain spaces"));
}
@@ -94,7 +94,7 @@ public class LocalFileUserManagerTest {
User user = manager.getUser(users[0].getName());
assertNull(user);
for (User user1 : users) {
- assertTrue(manager.createUser(user1.getName(), user1.getPassword(),
false));
+ assertTrue(manager.createUser(user1.getName(), user1.getPassword()));
}
for (User user1 : users) {
user = manager.getUser(user1.getName());
@@ -102,17 +102,17 @@ public class LocalFileUserManagerTest {
assertTrue(AuthUtils.validatePassword(user1.getPassword(),
user.getPassword()));
}
- assertFalse(manager.createUser(users[0].getName(), users[0].getPassword(),
false));
+ assertFalse(manager.createUser(users[0].getName(),
users[0].getPassword()));
boolean caught = false;
try {
- manager.createUser("too", "short", false);
+ manager.createUser("too", "short");
} catch (AuthException e) {
caught = true;
}
assertTrue(caught);
caught = false;
try {
- manager.createUser("short", "too", false);
+ manager.createUser("short", "too");
} catch (AuthException e) {
caught = true;
}
diff --git
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/security/encrypt/MessageDigestEncryptTest.java
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/security/encrypt/MessageDigestEncryptTest.java
index 9ad6d671204..146947c0948 100644
---
a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/security/encrypt/MessageDigestEncryptTest.java
+++
b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/security/encrypt/MessageDigestEncryptTest.java
@@ -80,7 +80,7 @@ public class MessageDigestEncryptTest {
User user = manager.getUser(users[0].getName());
assertNull(user);
for (User user1 : users) {
- assertTrue(manager.createUser(user1.getName(), user1.getPassword(),
false));
+ assertTrue(manager.createUser(user1.getName(), user1.getPassword()));
}
for (User user1 : users) {
user = manager.getUser(user1.getName());
diff --git
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java
index 93c0237e49b..7c1c891bb92 100644
---
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java
+++
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java
@@ -119,7 +119,7 @@ public abstract class BasicAuthorizer implements
IAuthorizer, IService {
@Override
public void createUser(String username, String password) throws
AuthException {
- if (!userManager.createUser(username, password, false)) {
+ if (!userManager.createUser(username, password)) {
throw new AuthException(
TSStatusCode.USER_ALREADY_EXIST, String.format("User %s already
exists", username));
}
diff --git
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java
index c3ef891ea7e..41b7252f510 100644
---
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java
+++
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java
@@ -19,63 +19,68 @@
package org.apache.iotdb.commons.auth.entity;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-
/** This enum class contains all available privileges in IoTDB. */
public enum PrivilegeType {
- READ_DATA(true),
- WRITE_DATA(true, true, READ_DATA),
- READ_SCHEMA(true),
- WRITE_SCHEMA(true, true, READ_SCHEMA),
- MANAGE_USER,
- MANAGE_ROLE,
- GRANT_PRIVILEGE,
- ALTER_PASSWORD,
- USE_TRIGGER(true),
- USE_CQ,
- USE_PIPE,
- MANAGE_DATABASE(true),
- READ(true, false, READ_DATA, READ_SCHEMA),
- WRITE(true, false, WRITE_DATA, WRITE_SCHEMA),
- ALL(
- true,
- false,
- READ,
- WRITE,
- MANAGE_USER,
- MANAGE_ROLE,
- GRANT_PRIVILEGE,
- ALTER_PASSWORD,
- USE_TRIGGER,
- USE_CQ,
- USE_PIPE,
- MANAGE_DATABASE);
+ CREATE_DATABASE(true),
+ INSERT_TIMESERIES(true),
+ @Deprecated
+ UPDATE_TIMESERIES(true),
+ READ_TIMESERIES(true),
+ CREATE_TIMESERIES(true),
+ DELETE_TIMESERIES(true),
+ CREATE_USER,
+ DELETE_USER,
+ MODIFY_PASSWORD,
+ LIST_USER,
+ GRANT_USER_PRIVILEGE,
+ REVOKE_USER_PRIVILEGE,
+ GRANT_USER_ROLE,
+ REVOKE_USER_ROLE,
+ CREATE_ROLE,
+ DELETE_ROLE,
+ LIST_ROLE,
+ GRANT_ROLE_PRIVILEGE,
+ REVOKE_ROLE_PRIVILEGE,
+ CREATE_FUNCTION,
+ DROP_FUNCTION,
+ CREATE_TRIGGER(true),
+ DROP_TRIGGER(true),
+ START_TRIGGER(true),
+ STOP_TRIGGER(true),
+ CREATE_CONTINUOUS_QUERY,
+ DROP_CONTINUOUS_QUERY,
+ ALL,
+ DELETE_DATABASE(true),
+ ALTER_TIMESERIES(true),
+ UPDATE_TEMPLATE,
+ READ_TEMPLATE,
+ APPLY_TEMPLATE(true),
+ READ_TEMPLATE_APPLICATION,
+ SHOW_CONTINUOUS_QUERIES,
+ CREATE_PIPEPLUGIN,
+ DROP_PIPEPLUGIN,
+ SHOW_PIPEPLUGINS,
+ CREATE_PIPE,
+ START_PIPE,
+ STOP_PIPE,
+ DROP_PIPE,
+ SHOW_PIPES,
+ CREATE_VIEW(true),
+ ALTER_VIEW(true),
+ RENAME_VIEW(true),
+ DELETE_VIEW(true),
+ ;
private static final int PRIVILEGE_COUNT = values().length;
private final boolean isPathRelevant;
- private final boolean isStorable;
- private final List<PrivilegeType> subPrivileges = new ArrayList<>();
PrivilegeType() {
this.isPathRelevant = false;
- this.isStorable = true;
}
PrivilegeType(boolean isPathRelevant) {
this.isPathRelevant = isPathRelevant;
- this.isStorable = true;
- }
-
- PrivilegeType(boolean isPathRelevant, boolean isStorable, PrivilegeType...
privilegeTypes) {
- this.isPathRelevant = isPathRelevant;
- this.isStorable = isStorable;
- this.subPrivileges.addAll(Arrays.asList(privilegeTypes));
}
/**
@@ -89,32 +94,7 @@ public enum PrivilegeType {
return 0 <= type && type < PRIVILEGE_COUNT &&
values()[type].isPathRelevant;
}
- public static boolean isStorable(int type) {
- return 0 <= type && type < PRIVILEGE_COUNT && values()[type].isStorable;
- }
-
public boolean isPathRelevant() {
return isPathRelevant;
}
-
- public static Set<PrivilegeType> getStorablePrivilege(Integer ordinal) {
- if (ordinal < 0 || ordinal >= PRIVILEGE_COUNT) {
- return Collections.emptySet();
- }
- PrivilegeType privilegeType = PrivilegeType.values()[ordinal];
- return privilegeType.getStorablePrivilege();
- }
-
- public Set<PrivilegeType> getStorablePrivilege() {
- Set<PrivilegeType> result = new HashSet<>();
- if (isStorable) {
- // if this privilege is storable, add it to the result set
- result.add(this);
- }
- for (PrivilegeType privilegeType : subPrivileges) {
- // add all storable privileges of sub privileges to the result set
- result.addAll(privilegeType.getStorablePrivilege());
- }
- return result;
- }
}
diff --git
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/role/BasicRoleManager.java
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/role/BasicRoleManager.java
index bcdd1bc1a7c..142532434b0 100644
---
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/role/BasicRoleManager.java
+++
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/role/BasicRoleManager.java
@@ -19,7 +19,6 @@
package org.apache.iotdb.commons.auth.role;
import org.apache.iotdb.commons.auth.AuthException;
-import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.auth.entity.Role;
import org.apache.iotdb.commons.concurrent.HashLock;
import org.apache.iotdb.commons.path.PartialPath;
@@ -146,7 +145,7 @@ public abstract class BasicRoleManager implements
IRoleManager {
throw new AuthException(
TSStatusCode.ROLE_NOT_EXIST, String.format("No such role %s",
rolename));
}
- if (PrivilegeType.isStorable(privilegeId) && !role.hasPrivilege(path,
privilegeId)) {
+ if (!role.hasPrivilege(path, privilegeId)) {
return false;
}
role.removePrivilege(path, privilegeId);
diff --git
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java
index 042d671497c..4b872db74ed 100644
---
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java
+++
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java
@@ -19,7 +19,6 @@
package org.apache.iotdb.commons.auth.user;
import org.apache.iotdb.commons.auth.AuthException;
-import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.auth.entity.User;
import org.apache.iotdb.commons.concurrent.HashLock;
import org.apache.iotdb.commons.conf.CommonDescriptor;
@@ -83,8 +82,7 @@ public abstract class BasicUserManager implements
IUserManager {
if (admin == null) {
createUser(
CommonDescriptor.getInstance().getConfig().getAdminName(),
- CommonDescriptor.getInstance().getConfig().getAdminPassword(),
- true);
+ CommonDescriptor.getInstance().getConfig().getAdminPassword());
setUserUseWaterMark(CommonDescriptor.getInstance().getConfig().getAdminName(),
false);
}
logger.info("Admin initialized");
@@ -113,12 +111,9 @@ public abstract class BasicUserManager implements
IUserManager {
}
@Override
- public boolean createUser(String username, String password, boolean
firstInit)
- throws AuthException {
- if (!firstInit) {
- AuthUtils.validateUsername(username);
- AuthUtils.validatePassword(password);
- }
+ public boolean createUser(String username, String password) throws
AuthException {
+ AuthUtils.validateUsername(username);
+ AuthUtils.validatePassword(password);
User user = getUser(username);
if (user != null) {
@@ -197,7 +192,7 @@ public abstract class BasicUserManager implements
IUserManager {
throw new AuthException(
TSStatusCode.USER_NOT_EXIST, String.format(NO_SUCH_USER_ERROR,
username));
}
- if (PrivilegeType.isStorable(privilegeId) && !user.hasPrivilege(path,
privilegeId)) {
+ if (!user.hasPrivilege(path, privilegeId)) {
return false;
}
user.removePrivilege(path, privilegeId);
diff --git
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/IUserManager.java
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/IUserManager.java
index 501ec2be4a7..f403db6195e 100644
---
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/IUserManager.java
+++
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/IUserManager.java
@@ -43,11 +43,10 @@ public interface IUserManager extends SnapshotProcessor {
*
* @param username is not null or empty
* @param password is not null or empty
- * @param firstInit is first init admin
* @return True if the user is successfully created, false when the user
already exists.
* @throws AuthException if the given username or password is illegal.
*/
- boolean createUser(String username, String password, boolean firstInit)
throws AuthException;
+ boolean createUser(String username, String password) throws AuthException;
/**
* Delete a user.
diff --git
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java
index ad49ad5288d..a1a3507e38e 100644
---
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java
+++
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java
@@ -50,9 +50,9 @@ public class AuthUtils {
private static final Logger logger =
LoggerFactory.getLogger(AuthUtils.class);
private static final String ROOT_PREFIX = IoTDBConstant.PATH_ROOT;
public static PartialPath ROOT_PATH_PRIVILEGE_PATH;
- private static final int MIN_LENGTH = 4;
- private static final int MAX_LENGTH = 64;
- private static final String REX_PATTERN = "^[-\\w]*$";
+ private static final int MIN_PASSWORD_LENGTH = 4;
+ private static final int MIN_USERNAME_LENGTH = 4;
+ private static final int MIN_ROLENAME_LENGTH = 4;
static {
try {
@@ -77,7 +77,14 @@ public class AuthUtils {
* @throws AuthException contains message why password is invalid
*/
public static void validatePassword(String password) throws AuthException {
- validateNameOrPassword(password);
+ if (password.length() < MIN_PASSWORD_LENGTH) {
+ throw new AuthException(
+ TSStatusCode.ILLEGAL_PARAMETER,
+ "Password's size must be greater than or equal to " +
MIN_PASSWORD_LENGTH);
+ }
+ if (password.contains(" ")) {
+ throw new AuthException(TSStatusCode.ILLEGAL_PARAMETER, "Password cannot
contain spaces");
+ }
}
/**
@@ -100,7 +107,14 @@ public class AuthUtils {
* @throws AuthException contains message why username is invalid
*/
public static void validateUsername(String username) throws AuthException {
- validateNameOrPassword(username);
+ if (username.length() < MIN_USERNAME_LENGTH) {
+ throw new AuthException(
+ TSStatusCode.ILLEGAL_PARAMETER,
+ "Username's size must be greater than or equal to " +
MIN_USERNAME_LENGTH);
+ }
+ if (username.contains(" ")) {
+ throw new AuthException(TSStatusCode.ILLEGAL_PARAMETER, "Username cannot
contain spaces");
+ }
}
/**
@@ -110,26 +124,13 @@ public class AuthUtils {
* @throws AuthException contains message why rolename is invalid
*/
public static void validateRolename(String rolename) throws AuthException {
- validateNameOrPassword(rolename);
- }
-
- public static void validateNameOrPassword(String str) throws AuthException {
- int length = str.length();
- if (length < MIN_LENGTH) {
- throw new AuthException(
- TSStatusCode.ILLEGAL_PARAMETER,
- "The length of name or password must be greater than or equal to " +
MIN_LENGTH);
- } else if (length > MAX_LENGTH) {
+ if (rolename.length() < MIN_ROLENAME_LENGTH) {
throw new AuthException(
TSStatusCode.ILLEGAL_PARAMETER,
- "The length of name or password must be less than or equal to " +
MAX_LENGTH);
- } else if (str.contains(" ")) {
- throw new AuthException(
- TSStatusCode.ILLEGAL_PARAMETER, "The name or password cannot contain
spaces");
- } else if (!str.matches(REX_PATTERN)) {
- throw new AuthException(
- TSStatusCode.ILLEGAL_PARAMETER,
- "The name or password can only contain letters, numbers, and
underscores");
+ "Role name's size must be greater than or equal to " +
MIN_ROLENAME_LENGTH);
+ }
+ if (rolename.contains(" ")) {
+ throw new AuthException(TSStatusCode.ILLEGAL_PARAMETER, "Role name
cannot contain spaces");
}
}
@@ -175,12 +176,22 @@ public class AuthUtils {
if (!path.equals(ROOT_PATH_PRIVILEGE_PATH)) {
validatePath(path);
switch (type) {
- case READ_SCHEMA:
- case WRITE_SCHEMA:
- case READ_DATA:
- case WRITE_DATA:
- case USE_TRIGGER:
- case MANAGE_DATABASE:
+ case READ_TIMESERIES:
+ case CREATE_DATABASE:
+ case DELETE_DATABASE:
+ case CREATE_TIMESERIES:
+ case DELETE_TIMESERIES:
+ case INSERT_TIMESERIES:
+ case ALTER_TIMESERIES:
+ case CREATE_TRIGGER:
+ case DROP_TRIGGER:
+ case START_TRIGGER:
+ case STOP_TRIGGER:
+ case APPLY_TEMPLATE:
+ case CREATE_VIEW:
+ case ALTER_VIEW:
+ case RENAME_VIEW:
+ case DELETE_VIEW:
return;
default:
throw new AuthException(
@@ -189,11 +200,17 @@ public class AuthUtils {
}
} else {
switch (type) {
- case READ_SCHEMA:
- case WRITE_SCHEMA:
- case MANAGE_DATABASE:
- case READ_DATA:
- case WRITE_DATA:
+ case READ_TIMESERIES:
+ case CREATE_DATABASE:
+ case DELETE_DATABASE:
+ case CREATE_TIMESERIES:
+ case DELETE_TIMESERIES:
+ case INSERT_TIMESERIES:
+ case ALTER_TIMESERIES:
+ case CREATE_VIEW:
+ case ALTER_VIEW:
+ case RENAME_VIEW:
+ case DELETE_VIEW:
validatePath(path);
return;
default:
@@ -317,8 +334,12 @@ public class AuthUtils {
privilegeList.add(targetPathPrivilege);
}
// add privilegeId into targetPathPrivilege
- for (PrivilegeType privilegeType :
PrivilegeType.getStorablePrivilege(privilegeId)) {
- targetPathPrivilege.getPrivileges().add(privilegeType.ordinal());
+ if (privilegeId != PrivilegeType.ALL.ordinal()) {
+ targetPathPrivilege.getPrivileges().add(privilegeId);
+ } else {
+ for (PrivilegeType privilegeType : PrivilegeType.values()) {
+ targetPathPrivilege.getPrivileges().add(privilegeType.ordinal());
+ }
}
}
@@ -339,11 +360,15 @@ public class AuthUtils {
}
}
if (targetPathPrivilege != null) {
- for (PrivilegeType privilegeType :
PrivilegeType.getStorablePrivilege(privilegeId)) {
- targetPathPrivilege.getPrivileges().remove(privilegeType.ordinal());
- }
- if (targetPathPrivilege.getPrivileges().isEmpty()) {
+ if (privilegeId == PrivilegeType.ALL.ordinal()) {
+ // remove all privileges on target path
privilegeList.remove(targetPathPrivilege);
+ } else {
+ // remove privilege on target path
+ targetPathPrivilege.getPrivileges().remove(privilegeId);
+ if (targetPathPrivilege.getPrivileges().isEmpty()) {
+ privilegeList.remove(targetPathPrivilege);
+ }
}
}
}
@@ -374,6 +399,12 @@ public class AuthUtils {
PrivilegeType[] types = PrivilegeType.values();
for (String authorization : authorizationList) {
boolean legal = false;
+ if ("SET_STORAGE_GROUP".equalsIgnoreCase(authorization)) {
+ authorization = PrivilegeType.CREATE_DATABASE.name();
+ }
+ if ("DELETE_STORAGE_GROUP".equalsIgnoreCase(authorization)) {
+ authorization = PrivilegeType.DELETE_DATABASE.name();
+ }
for (PrivilegeType privilegeType : types) {
if (authorization.equalsIgnoreCase(privilegeType.name())) {
result.add(privilegeType.ordinal());
