This is an automated email from the ASF dual-hosted git repository.
jackietien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/master by this push:
new 64f0e3ce14d auth. some improvement.
64f0e3ce14d is described below
commit 64f0e3ce14d449d4570d6623936d24dc92f8734e
Author: Colin Li <[email protected]>
AuthorDate: Sat Oct 28 09:23:23 2023 +0800
auth. some improvement.
---
.../org/apache/iotdb/db/it/auth/IoTDBAuthIT.java | 95 ++++++++++------------
.../antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4 | 5 --
.../org/apache/iotdb/db/auth/AuthorityChecker.java | 8 +-
.../plan/statement/sys/AuthorStatement.java | 2 +-
.../commons/auth/entity/PriPrivilegeType.java | 13 ++-
.../iotdb/commons/auth/entity/PrivilegeType.java | 3 +-
.../org/apache/iotdb/commons/auth/entity/Role.java | 6 +-
7 files changed, 60 insertions(+), 72 deletions(-)
diff --git
a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java
b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java
index 59bd2829542..37c69ab11aa 100644
---
a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java
+++
b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java
@@ -587,16 +587,15 @@ public class IoTDBAuthIT {
validateResultSet(resultSet, ans);
resultSet = adminStmt.executeQuery("LIST PRIVILEGES OF USER root");
ans =
- ",,MANAGE_USER,true,\n"
- + ",,MANAGE_ROLE,true,\n"
- + ",,USE_TRIGGER,true,\n"
- + ",,USE_UDF,true,\n"
- + ",,USE_CQ,true,\n"
- + ",,USE_PIPE,true,\n"
- + ",,EXTEND_TEMPLATE,true,\n"
- + ",,MANAGE_DATABASE,true,\n"
- + ",,MAINTAIN,true,\n"
- + ",,AUDIT,true,\n"
+ ",root.**,MANAGE_USER,true,\n"
+ + ",root.**,MANAGE_ROLE,true,\n"
+ + ",root.**,USE_TRIGGER,true,\n"
+ + ",root.**,USE_UDF,true,\n"
+ + ",root.**,USE_CQ,true,\n"
+ + ",root.**,USE_PIPE,true,\n"
+ + ",root.**,EXTEND_TEMPLATE,true,\n"
+ + ",root.**,MANAGE_DATABASE,true,\n"
+ + ",root.**,MAINTAIN,true,\n"
+ ",root.**,READ_DATA,true,\n"
+ ",root.**,WRITE_DATA,true,\n"
+ ",root.**,READ_SCHEMA,true,\n"
@@ -937,16 +936,15 @@ public class IoTDBAuthIT {
// 3.admin lists privileges of user1
ResultSet resultSet = adminStmt.executeQuery("LIST PRIVILEGES OF USER
user1");
String ans =
- ",,MANAGE_USER,false,\n"
- + ",,MANAGE_ROLE,false,\n"
- + ",,USE_TRIGGER,false,\n"
- + ",,USE_UDF,false,\n"
- + ",,USE_CQ,false,\n"
- + ",,USE_PIPE,false,\n"
- + ",,EXTEND_TEMPLATE,false,\n"
- + ",,MANAGE_DATABASE,false,\n"
- + ",,MAINTAIN,false,\n"
- + ",,AUDIT,false,\n"
+ ",root.**,MANAGE_USER,false,\n"
+ + ",root.**,MANAGE_ROLE,false,\n"
+ + ",root.**,USE_TRIGGER,false,\n"
+ + ",root.**,USE_UDF,false,\n"
+ + ",root.**,USE_CQ,false,\n"
+ + ",root.**,USE_PIPE,false,\n"
+ + ",root.**,EXTEND_TEMPLATE,false,\n"
+ + ",root.**,MANAGE_DATABASE,false,\n"
+ + ",root.**,MAINTAIN,false,\n"
+ ",root.**,READ_DATA,false,\n"
+ ",root.**,WRITE_DATA,false,\n"
+ ",root.**,READ_SCHEMA,false,\n"
@@ -960,16 +958,15 @@ public class IoTDBAuthIT {
}
resultSet = adminStmt.executeQuery("LIST PRIVILEGES OF USER user2");
ans =
- ",,MANAGE_USER,true,\n"
- + ",,MANAGE_ROLE,true,\n"
- + ",,USE_TRIGGER,true,\n"
- + ",,USE_UDF,true,\n"
- + ",,USE_CQ,true,\n"
- + ",,USE_PIPE,true,\n"
- + ",,EXTEND_TEMPLATE,true,\n"
- + ",,MANAGE_DATABASE,true,\n"
- + ",,MAINTAIN,true,\n"
- + ",,AUDIT,true,\n"
+ ",root.**,MANAGE_USER,true,\n"
+ + ",root.**,MANAGE_ROLE,true,\n"
+ + ",root.**,USE_TRIGGER,true,\n"
+ + ",root.**,USE_UDF,true,\n"
+ + ",root.**,USE_CQ,true,\n"
+ + ",root.**,USE_PIPE,true,\n"
+ + ",root.**,EXTEND_TEMPLATE,true,\n"
+ + ",root.**,MANAGE_DATABASE,true,\n"
+ + ",root.**,MAINTAIN,true,\n"
+ ",root.**,READ_DATA,true,\n"
+ ",root.**,WRITE_DATA,true,\n"
+ ",root.**,READ_SCHEMA,true,\n"
@@ -986,16 +983,15 @@ public class IoTDBAuthIT {
try {
resultSet = userStmt.executeQuery("LIST PRIVILEGES OF USER user1");
ans =
- ",,MANAGE_USER,false,\n"
- + ",,MANAGE_ROLE,false,\n"
- + ",,USE_TRIGGER,false,\n"
- + ",,USE_UDF,false,\n"
- + ",,USE_CQ,false,\n"
- + ",,USE_PIPE,false,\n"
- + ",,EXTEND_TEMPLATE,false,\n"
- + ",,MANAGE_DATABASE,false,\n"
- + ",,MAINTAIN,false,\n"
- + ",,AUDIT,false,\n"
+ ",root.**,MANAGE_USER,false,\n"
+ + ",root.**,MANAGE_ROLE,false,\n"
+ + ",root.**,USE_TRIGGER,false,\n"
+ + ",root.**,USE_UDF,false,\n"
+ + ",root.**,USE_CQ,false,\n"
+ + ",root.**,USE_PIPE,false,\n"
+ + ",root.**,EXTEND_TEMPLATE,false,\n"
+ + ",root.**,MANAGE_DATABASE,false,\n"
+ + ",root.**,MAINTAIN,false,\n"
+ ",root.**,READ_DATA,false,\n"
+ ",root.**,WRITE_DATA,false,\n"
+ ",root.**,READ_SCHEMA,false,\n"
@@ -1019,21 +1015,20 @@ public class IoTDBAuthIT {
validateResultSet(resultSet, ans);
userStmt.execute("GRANT MANAGE_ROLE ON root.** TO USER user3");
resultSet = userStmt.executeQuery("LIST PRIVILEGES OF USER user3");
- ans = ",,MANAGE_ROLE,false,\n";
+ ans = ",root.**,MANAGE_ROLE,false,\n";
validateResultSet(resultSet, ans);
userStmt.execute("REVOKE MANAGE_ROLE ON root.** FROM USER user1");
resultSet = userStmt.executeQuery("LIST PRIVILEGES OF USER user1");
ans =
- ",,MANAGE_USER,false,\n"
- + ",,USE_TRIGGER,false,\n"
- + ",,USE_UDF,false,\n"
- + ",,USE_CQ,false,\n"
- + ",,USE_PIPE,false,\n"
- + ",,EXTEND_TEMPLATE,false,\n"
- + ",,MANAGE_DATABASE,false,\n"
- + ",,MAINTAIN,false,\n"
- + ",,AUDIT,false,\n"
+ ",root.**,MANAGE_USER,false,\n"
+ + ",root.**,USE_TRIGGER,false,\n"
+ + ",root.**,USE_UDF,false,\n"
+ + ",root.**,USE_CQ,false,\n"
+ + ",root.**,USE_PIPE,false,\n"
+ + ",root.**,EXTEND_TEMPLATE,false,\n"
+ + ",root.**,MANAGE_DATABASE,false,\n"
+ + ",root.**,MAINTAIN,false,\n"
+ ",root.**,READ_DATA,false,\n"
+ ",root.**,WRITE_DATA,false,\n"
+ ",root.**,READ_SCHEMA,false,\n"
diff --git
a/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4
b/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4
index 61770d77b9a..a1cf3cf6ad2 100644
--- a/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4
+++ b/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4
@@ -928,7 +928,6 @@ PRIVILEGE_VALUE
| USE_CQ
| USE_PIPE
| EXTEND_TEMPLATE
- | AUDIT
| MANAGE_DATABASE
| MAINTAIN
;
@@ -977,10 +976,6 @@ EXTEND_TEMPLATE
: E X T E N D '_' T E M P L A T E
;
-AUDIT
- : A U D I T
- ;
-
MANAGE_DATABASE
: M A N A G E '_' D A T A B A S E
;
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
index 5fe9f9fd613..2830289681f 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
@@ -231,7 +231,7 @@ public class AuthorityChecker {
builder = new TsBlockBuilder(types);
TUserResp user = authResp.getPermissionInfo().getUserInfo();
if (user != null) {
- appendPriBuilder("", "", user.getSysPriSet(),
user.getSysPriSetGrantOpt(), builder);
+ appendPriBuilder("", "root.**", user.getSysPriSet(),
user.getSysPriSetGrantOpt(), builder);
for (TPathPrivilege path : user.getPrivilegeList()) {
appendPriBuilder("", path.getPath(), path.getPriSet(),
path.getPriGrantOpt(), builder);
}
@@ -241,7 +241,11 @@ public class AuthorityChecker {
while (it.hasNext()) {
TRoleResp role = it.next().getValue();
appendPriBuilder(
- role.getRoleName(), "", role.getSysPriSet(),
role.getSysPriSetGrantOpt(), builder);
+ role.getRoleName(),
+ "root.**",
+ role.getSysPriSet(),
+ role.getSysPriSetGrantOpt(),
+ builder);
for (TPathPrivilege path : role.getPrivilegeList()) {
appendPriBuilder(
role.getRoleName(), path.getPath(), path.getPriSet(),
path.getPriGrantOpt(), builder);
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/AuthorStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/AuthorStatement.java
index 5acbf06a12e..1b325793fd2 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/AuthorStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/AuthorStatement.java
@@ -315,7 +315,7 @@ public class AuthorStatement extends Statement implements
IConfigStatement {
}
return AuthorityChecker.getOptTSStatus(
AuthorityChecker.checkGrantOption(userName, privilegeList,
nodeNameList),
- "Has no permission to execute"
+ "Has no permission to execute "
+ authorType
+ ", please ensure you have these privileges and the grant
option is TRUE when granted");
diff --git
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PriPrivilegeType.java
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PriPrivilegeType.java
index 43e055a1a43..d7898624eea 100644
---
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PriPrivilegeType.java
+++
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PriPrivilegeType.java
@@ -69,13 +69,12 @@ public enum PriPrivilegeType {
PrivilegeType.WRITE_DATA,
PrivilegeType.READ_DATA,
PrivilegeType.READ_SCHEMA,
- PrivilegeType.MAINTAIN,
- PrivilegeType.AUDIT),
+ PrivilegeType.MAINTAIN),
DELETE_DATABASE(true, false, PrivilegeType.MANAGE_DATABASE),
ALTER_TIMESERIES(true, true, PrivilegeType.WRITE_SCHEMA),
UPDATE_TEMPLATE(false),
READ_TEMPLATE(false),
- APPLY_TEMPLATE(false),
+ APPLY_TEMPLATE(true, PrivilegeType.WRITE_SCHEMA),
READ_TEMPLATE_APPLICATION(false),
SHOW_CONTINUOUS_QUERIES(false),
CREATE_PIPEPLUGIN(false, PrivilegeType.USE_PIPE),
@@ -86,10 +85,10 @@ public enum PriPrivilegeType {
STOP_PIPE(false, PrivilegeType.USE_PIPE),
DROP_PIPE(false, PrivilegeType.USE_PIPE),
SHOW_PIPES(false),
- CREATE_VIEW(false),
- ALTER_VIEW(false),
- RENAME_VIEW(false),
- DELETE_VIEW(false),
+ CREATE_VIEW(true, PrivilegeType.WRITE_SCHEMA),
+ ALTER_VIEW(true, PrivilegeType.WRITE_SCHEMA),
+ RENAME_VIEW(true, PrivilegeType.WRITE_SCHEMA),
+ DELETE_VIEW(true, PrivilegeType.WRITE_SCHEMA),
;
boolean accept = false;
diff --git
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java
index 532dd02cd32..73201aeb4ce 100644
---
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java
+++
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java
@@ -35,8 +35,7 @@ public enum PrivilegeType {
USE_PIPE,
EXTEND_TEMPLATE,
MANAGE_DATABASE,
- MAINTAIN,
- AUDIT;
+ MAINTAIN;
private static final int PRIVILEGE_COUNT = values().length;
diff --git
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/Role.java
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/Role.java
index 705f372d483..9533822bcd2 100644
---
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/Role.java
+++
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/Role.java
@@ -145,8 +145,6 @@ public class Role {
case 7:
return PrivilegeType.EXTEND_TEMPLATE.ordinal();
case 8:
- return PrivilegeType.AUDIT.ordinal();
- case 9:
return PrivilegeType.MAINTAIN.ordinal();
default:
return -1;
@@ -172,10 +170,8 @@ public class Role {
return 6;
case EXTEND_TEMPLATE:
return 7;
- case AUDIT:
- return 8;
case MAINTAIN:
- return 9;
+ return 8;
default:
return -1;
}
