This is an automated email from the ASF dual-hosted git repository.
jackietien pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/master by this push:
new 70f02780a8a Support authentication for maintain and udf management
statement
70f02780a8a is described below
commit 70f02780a8a555729464413e6799629b04820eb5
Author: Jackie Tien <[email protected]>
AuthorDate: Sat Feb 8 14:04:02 2025 +0800
Support authentication for maintain and udf management statement
---
.../iotdb/db/it/auth/IoTDBSystemPermissionIT.java | 2 +-
.../org/apache/iotdb/db/it/utils/TestUtils.java | 33 +++
.../it/query/recent/IoTDBMaintainAuthIT.java | 289 +++++++++++++++++++++
.../it/query/recent/IoTDBQueryAuthIT.java | 3 +-
.../org/apache/iotdb/db/auth/AuthorityChecker.java | 3 +
.../plan/execution/config/ConfigExecution.java | 4 +-
.../execution/config/TableConfigTaskVisitor.java | 3 +
.../config/executor/ClusterConfigTaskExecutor.java | 17 +-
.../plan/relational/security/AccessControl.java | 8 +
.../relational/security/AccessControlImpl.java | 10 +
.../relational/security/AllowAllAccessControl.java | 5 +
11 files changed, 369 insertions(+), 8 deletions(-)
diff --git
a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBSystemPermissionIT.java
b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBSystemPermissionIT.java
index 4b3cebd68f1..2b04fcc64b1 100644
---
a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBSystemPermissionIT.java
+++
b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBSystemPermissionIT.java
@@ -219,7 +219,7 @@ public class IoTDBSystemPermissionIT {
executeNonQuery("show queries", "test", "test123");
assertNonQueryTestFail(
"kill query 'test'",
- "305: Please ensure your input <queryId> is correct",
+ "701: Please ensure your input <queryId> is correct",
"test",
"test123");
executeNonQuery("show cluster", "test", "test123");
diff --git
a/integration-test/src/test/java/org/apache/iotdb/db/it/utils/TestUtils.java
b/integration-test/src/test/java/org/apache/iotdb/db/it/utils/TestUtils.java
index 15de78c0e3d..c39cfb6ce6d 100644
--- a/integration-test/src/test/java/org/apache/iotdb/db/it/utils/TestUtils.java
+++ b/integration-test/src/test/java/org/apache/iotdb/db/it/utils/TestUtils.java
@@ -268,6 +268,39 @@ public class TestUtils {
}
}
+ public static void tableExecuteTest(String sql, String userName, String
password) {
+ try (Connection connection =
+ EnvFactory.getEnv().getConnection(userName, password,
BaseEnv.TABLE_SQL_DIALECT)) {
+ connection.setClientInfo("time_zone", "+00:00");
+ try (Statement statement = connection.createStatement()) {
+ statement.execute(sql);
+ }
+ } catch (SQLException e) {
+ e.printStackTrace();
+ fail(e.getMessage());
+ }
+ }
+
+ public static void tableQueryNoVerifyResultTest(
+ String sql, String[] expectedHeader, String userName, String password) {
+ try (Connection connection =
+ EnvFactory.getEnv().getConnection(userName, password,
BaseEnv.TABLE_SQL_DIALECT)) {
+ connection.setClientInfo("time_zone", "+00:00");
+ try (Statement statement = connection.createStatement()) {
+ try (ResultSet resultSet = statement.executeQuery(sql)) {
+ ResultSetMetaData resultSetMetaData = resultSet.getMetaData();
+ for (int i = 1; i <= resultSetMetaData.getColumnCount(); i++) {
+ assertEquals(expectedHeader[i - 1],
resultSetMetaData.getColumnName(i));
+ }
+ assertEquals(expectedHeader.length,
resultSetMetaData.getColumnCount());
+ }
+ }
+ } catch (SQLException e) {
+ e.printStackTrace();
+ fail(e.getMessage());
+ }
+ }
+
public static void tableResultSetEqualTest(
String sql,
String[] expectedHeader,
diff --git
a/integration-test/src/test/java/org/apache/iotdb/relational/it/query/recent/IoTDBMaintainAuthIT.java
b/integration-test/src/test/java/org/apache/iotdb/relational/it/query/recent/IoTDBMaintainAuthIT.java
new file mode 100644
index 00000000000..9fcdecb48f0
--- /dev/null
+++
b/integration-test/src/test/java/org/apache/iotdb/relational/it/query/recent/IoTDBMaintainAuthIT.java
@@ -0,0 +1,289 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.iotdb.relational.it.query.recent;
+
+import org.apache.iotdb.it.env.EnvFactory;
+import org.apache.iotdb.it.framework.IoTDBTestRunner;
+import org.apache.iotdb.itbase.category.TableClusterIT;
+import org.apache.iotdb.itbase.category.TableLocalStandaloneIT;
+import org.apache.iotdb.rpc.TSStatusCode;
+
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.junit.runner.RunWith;
+
+import static org.apache.iotdb.db.auth.AuthorityChecker.ONLY_ADMIN_ALLOWED;
+import static org.apache.iotdb.db.it.utils.TestUtils.prepareTableData;
+import static org.apache.iotdb.db.it.utils.TestUtils.tableAssertTestFail;
+import static org.apache.iotdb.db.it.utils.TestUtils.tableExecuteTest;
+import static
org.apache.iotdb.db.it.utils.TestUtils.tableQueryNoVerifyResultTest;
+
+@RunWith(IoTDBTestRunner.class)
+@Category({TableLocalStandaloneIT.class, TableClusterIT.class})
+public class IoTDBMaintainAuthIT {
+ private static final String DATABASE_NAME = "test";
+ private static final String CREATE_USER_FORMAT = "create user %s '%s'";
+ private static final String USER_1 = "user1";
+ private static final String USER_2 = "user2";
+ private static final String PASSWORD = "password";
+
+ private static final String[] createSqls =
+ new String[] {
+ "CREATE DATABASE " + DATABASE_NAME,
+ "USE " + DATABASE_NAME,
+ "CREATE TABLE table1(device_id STRING TAG, s1 INT32 FIELD)",
+ "INSERT INTO table1(time,device_id,s1) values(1, 'd1', 1)",
+ String.format(CREATE_USER_FORMAT, USER_1, PASSWORD),
+ "GRANT MAINTAIN TO USER " + USER_1,
+ "GRANT SELECT ON TABLE table1 TO USER " + USER_1,
+ "GRANT SELECT ON information_schema.queries TO USER " + USER_1,
+ String.format(CREATE_USER_FORMAT, USER_2, PASSWORD)
+ };
+
+ @BeforeClass
+ public static void setUp() throws Exception {
+ EnvFactory.getEnv().initClusterEnvironment();
+ prepareTableData(createSqls);
+ }
+
+ @AfterClass
+ public static void tearDown() throws Exception {
+ EnvFactory.getEnv().cleanClusterEnvironment();
+ }
+
+ @Test
+ public void maintainAuthTest() {
+ // case 1: explain
+ // user1 with select on table1
+ String[] expectedHeader = new String[] {"distribution plan"};
+ tableQueryNoVerifyResultTest(
+ "explain select * from test.table1", expectedHeader, USER_1, PASSWORD);
+ // user2 without select on table1
+ tableAssertTestFail(
+ "explain select * from test.table1",
+ TSStatusCode.NO_PERMISSION.getStatusCode()
+ + ": Access Denied: No permissions for this operation, please add
privilege SELECT ON test.table1",
+ USER_2,
+ PASSWORD);
+
+ // case 2: explain analyze [verbose]
+ // user1 with select on table1
+ expectedHeader = new String[] {"Explain Analyze"};
+ tableQueryNoVerifyResultTest(
+ "explain analyze select * from test.table1", expectedHeader, USER_1,
PASSWORD);
+ tableQueryNoVerifyResultTest(
+ "explain analyze verbose select * from test.table1", expectedHeader,
USER_1, PASSWORD);
+ // user2 without select on table1
+ tableAssertTestFail(
+ "explain analyze select * from test.table1",
+ TSStatusCode.NO_PERMISSION.getStatusCode()
+ + ": Access Denied: No permissions for this operation, please add
privilege SELECT ON test.table1",
+ USER_2,
+ PASSWORD);
+ tableAssertTestFail(
+ "explain analyze verbose select * from test.table1",
+ TSStatusCode.NO_PERMISSION.getStatusCode()
+ + ": Access Denied: No permissions for this operation, please add
privilege SELECT ON test.table1",
+ USER_2,
+ PASSWORD);
+
+ // case 3: show current_sql_dialect
+ expectedHeader = new String[] {"CurrentSqlDialect"};
+ tableQueryNoVerifyResultTest("SHOW CURRENT_SQL_DIALECT", expectedHeader,
USER_2, PASSWORD);
+
+ // case 4: show current_user
+ expectedHeader = new String[] {"CurrentUser"};
+ tableQueryNoVerifyResultTest("SHOW CURRENT_USER", expectedHeader, USER_2,
PASSWORD);
+
+ // case 5: show version
+ expectedHeader = new String[] {"Version", "BuildInfo"};
+ tableQueryNoVerifyResultTest("SHOW VERSION", expectedHeader, USER_2,
PASSWORD);
+
+ // case 6: show current_timestamp
+ expectedHeader = new String[] {"CurrentTimestamp"};
+ tableQueryNoVerifyResultTest("SHOW CURRENT_TIMESTAMP", expectedHeader,
USER_2, PASSWORD);
+
+ // case 7: show variables
+ expectedHeader = new String[] {"Variable", "Value"};
+ // user1 with MAINTAIN
+ tableQueryNoVerifyResultTest("SHOW VARIABLES", expectedHeader, USER_1,
PASSWORD);
+ // user2 without MAINTAIN
+ tableAssertTestFail(
+ "SHOW VARIABLES",
+ TSStatusCode.NO_PERMISSION.getStatusCode()
+ + ": Access Denied: No permissions for this operation, please add
privilege MAINTAIN",
+ USER_2,
+ PASSWORD);
+
+ // case 8: show cluster_id
+ expectedHeader = new String[] {"ClusterId"};
+ // user1 with MAINTAIN
+ tableQueryNoVerifyResultTest("SHOW CLUSTER_ID", expectedHeader, USER_1,
PASSWORD);
+ // user2 without MAINTAIN
+ tableAssertTestFail(
+ "SHOW CLUSTER_ID",
+ TSStatusCode.NO_PERMISSION.getStatusCode()
+ + ": Access Denied: No permissions for this operation, please add
privilege MAINTAIN",
+ USER_2,
+ PASSWORD);
+
+ // case 9: flush
+ // user1 with MAINTAIN
+ tableExecuteTest("FLUSH", USER_1, PASSWORD);
+ // user2 without MAINTAIN
+ tableAssertTestFail(
+ "FLUSH",
+ TSStatusCode.NO_PERMISSION.getStatusCode()
+ + ": Access Denied: No permissions for this operation, please add
privilege MAINTAIN",
+ USER_2,
+ PASSWORD);
+
+ // case 10: clear cache
+ // user1 with MAINTAIN
+ tableExecuteTest("CLEAR CACHE", USER_1, PASSWORD);
+ // user2 without MAINTAIN
+ tableAssertTestFail(
+ "CLEAR CACHE",
+ TSStatusCode.NO_PERMISSION.getStatusCode()
+ + ": Access Denied: No permissions for this operation, please add
privilege MAINTAIN",
+ USER_2,
+ PASSWORD);
+
+ // case 11: set configuration
+ // user1 with MAINTAIN
+ tableExecuteTest("SET CONFIGURATION query_timeout_threshold='100000'",
USER_1, PASSWORD);
+ // user2 without MAINTAIN
+ tableAssertTestFail(
+ "SET CONFIGURATION query_timeout_threshold='100000'",
+ TSStatusCode.NO_PERMISSION.getStatusCode()
+ + ": Access Denied: No permissions for this operation, please add
privilege MAINTAIN",
+ USER_2,
+ PASSWORD);
+
+ // case 12: show queries
+ // user1 with select on information_schema.queries
+ expectedHeader =
+ new String[] {"query_id", "start_time", "datanode_id", "elapsed_time",
"statement"};
+ tableQueryNoVerifyResultTest("SHOW QUERIES", expectedHeader, USER_1,
PASSWORD);
+ // user2 without select on information_schema.queries
+ tableAssertTestFail(
+ "SHOW QUERIES",
+ TSStatusCode.NO_PERMISSION.getStatusCode()
+ + ": Access Denied: No permissions for this operation, please add
privilege SELECT ON information_schema.queries",
+ USER_2,
+ PASSWORD);
+
+ // case 13: kill query
+ // user1 with MAINTAIN
+ tableAssertTestFail(
+ "kill query '20250206_093300_00001_1'",
+ TSStatusCode.NO_SUCH_QUERY.getStatusCode() + ": No such query",
+ USER_1,
+ PASSWORD);
+ // user2 without MAINTAIN
+ tableAssertTestFail(
+ "kill query '20250206_093300_00001_1'",
+ TSStatusCode.NO_PERMISSION.getStatusCode()
+ + ": Access Denied: No permissions for this operation, please add
privilege MAINTAIN",
+ USER_2,
+ PASSWORD);
+
+ // case 14: load configuration
+ // user1 with MAINTAIN
+ tableExecuteTest("LOAD CONFIGURATION", USER_1, PASSWORD);
+ // user2 without MAINTAIN
+ tableAssertTestFail(
+ "LOAD CONFIGURATION",
+ TSStatusCode.NO_PERMISSION.getStatusCode()
+ + ": Access Denied: No permissions for this operation, please add
privilege MAINTAIN",
+ USER_2,
+ PASSWORD);
+
+ // case 15: set system status
+ // user1 with MAINTAIN
+ tableExecuteTest("SET SYSTEM TO RUNNING", USER_1, PASSWORD);
+ // user2 without MAINTAIN
+ tableAssertTestFail(
+ "SET SYSTEM TO RUNNING",
+ TSStatusCode.NO_PERMISSION.getStatusCode()
+ + ": Access Denied: No permissions for this operation, please add
privilege MAINTAIN",
+ USER_2,
+ PASSWORD);
+
+ // case 16: start repair data
+ // user1 with MAINTAIN
+ tableExecuteTest("START REPAIR DATA", USER_1, PASSWORD);
+ // user2 without MAINTAIN
+ tableAssertTestFail(
+ "START REPAIR DATA",
+ TSStatusCode.NO_PERMISSION.getStatusCode()
+ + ": Access Denied: No permissions for this operation, please add
privilege MAINTAIN",
+ USER_2,
+ PASSWORD);
+
+ // case 17: stop repair data
+ // user1 with MAINTAIN
+ tableExecuteTest("STOP REPAIR DATA", USER_1, PASSWORD);
+ // user2 without MAINTAIN
+ tableAssertTestFail(
+ "STOP REPAIR DATA",
+ TSStatusCode.NO_PERMISSION.getStatusCode()
+ + ": Access Denied: No permissions for this operation, please add
privilege MAINTAIN",
+ USER_2,
+ PASSWORD);
+
+ // case 18: create function
+ // user1 with MAINTAIN
+ tableAssertTestFail(
+ "create function udsf as
'org.apache.iotdb.db.query.udf.example.relational.ContainNull'",
+ TSStatusCode.NO_PERMISSION.getStatusCode() + ": Access Denied: " +
ONLY_ADMIN_ALLOWED,
+ USER_1,
+ PASSWORD);
+ // user2 without MAINTAIN
+ tableAssertTestFail(
+ "create function udsf as
'org.apache.iotdb.db.query.udf.example.relational.ContainNull'",
+ TSStatusCode.NO_PERMISSION.getStatusCode() + ": Access Denied: " +
ONLY_ADMIN_ALLOWED,
+ USER_2,
+ PASSWORD);
+
+ // case 19: show functions
+ // user1 with MAINTAIN
+ expectedHeader = new String[] {"FunctionName", "FunctionType",
"ClassName(UDF)", "State"};
+ tableQueryNoVerifyResultTest("SHOW FUNCTIONS", expectedHeader, USER_1,
PASSWORD);
+ // user2 without MAINTAIN
+ tableQueryNoVerifyResultTest("SHOW FUNCTIONS", expectedHeader, USER_2,
PASSWORD);
+
+ // case 20: create function
+ // user1 with MAINTAIN
+ tableAssertTestFail(
+ "drop function udsf",
+ TSStatusCode.NO_PERMISSION.getStatusCode() + ": Access Denied: " +
ONLY_ADMIN_ALLOWED,
+ USER_1,
+ PASSWORD);
+ // user2 without MAINTAIN
+ tableAssertTestFail(
+ "drop function udsf",
+ TSStatusCode.NO_PERMISSION.getStatusCode() + ": Access Denied: " +
ONLY_ADMIN_ALLOWED,
+ USER_2,
+ PASSWORD);
+ }
+}
diff --git
a/integration-test/src/test/java/org/apache/iotdb/relational/it/query/recent/IoTDBQueryAuthIT.java
b/integration-test/src/test/java/org/apache/iotdb/relational/it/query/recent/IoTDBQueryAuthIT.java
index 88ac066261f..4557a66e7d1 100644
---
a/integration-test/src/test/java/org/apache/iotdb/relational/it/query/recent/IoTDBQueryAuthIT.java
+++
b/integration-test/src/test/java/org/apache/iotdb/relational/it/query/recent/IoTDBQueryAuthIT.java
@@ -81,7 +81,6 @@ public class IoTDBQueryAuthIT {
@BeforeClass
public static void setUp() throws Exception {
-
EnvFactory.getEnv().getConfig().getCommonConfig().setEnableCrossSpaceCompaction(false);
EnvFactory.getEnv().initClusterEnvironment();
prepareTableData(createSqls);
}
@@ -92,7 +91,7 @@ public class IoTDBQueryAuthIT {
}
@Test
- public void normalFillTest() {
+ public void queryAuthTest() {
// case 1: user1 with SELECT ON ANY
String[] expectedHeader1 = new String[] {"time", "device_id", "s1"};
String[] retArray1 =
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
index 0d6d2727250..d084e17123f 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
@@ -66,6 +66,9 @@ public class AuthorityChecker {
public static final TSStatus SUCCEED = new
TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
+ public static final String ONLY_ADMIN_ALLOWED =
+ "No permissions for this operation, only root user is allowed";
+
private static final String NO_PERMISSION_PROMOTION =
"No permissions for this operation, please add privilege ";
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/ConfigExecution.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/ConfigExecution.java
index 92a8a979d65..17c75ee30a8 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/ConfigExecution.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/ConfigExecution.java
@@ -93,7 +93,9 @@ public class ConfigExecution implements IQueryExecution {
TSStatusCode.ROLE_NOT_EXIST.getStatusCode(),
TSStatusCode.USER_ALREADY_HAS_ROLE.getStatusCode(),
TSStatusCode.USER_NOT_HAS_ROLE.getStatusCode(),
- TSStatusCode.NOT_HAS_PRIVILEGE_GRANTOPT.getStatusCode())));
+ TSStatusCode.NOT_HAS_PRIVILEGE_GRANTOPT.getStatusCode(),
+ TSStatusCode.SEMANTIC_ERROR.getStatusCode(),
+ TSStatusCode.NO_SUCH_QUERY.getStatusCode())));
private final MPPQueryContext context;
private final ExecutorService executor;
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java
index 9968142665a..779f6754d40 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java
@@ -994,12 +994,14 @@ public class TableConfigTaskVisitor extends
AstVisitor<IConfigTask, MPPQueryCont
@Override
protected IConfigTask visitKillQuery(KillQuery node, MPPQueryContext
context) {
context.setQueryType(QueryType.WRITE);
+
accessControl.checkUserHasMaintainPrivilege(context.getSession().getUserName());
return new KillQueryTask(node);
}
@Override
protected IConfigTask visitCreateFunction(CreateFunction node,
MPPQueryContext context) {
context.setQueryType(QueryType.WRITE);
+ accessControl.checkUserIsAdmin(context.getSession().getUserName());
if (node.getUriString().map(ExecutableManager::isUriTrusted).orElse(true))
{
// 1. user specified uri and that uri is trusted
// 2. user doesn't specify uri
@@ -1019,6 +1021,7 @@ public class TableConfigTaskVisitor extends
AstVisitor<IConfigTask, MPPQueryCont
@Override
protected IConfigTask visitDropFunction(DropFunction node, MPPQueryContext
context) {
context.setQueryType(QueryType.WRITE);
+ accessControl.checkUserIsAdmin(context.getSession().getUserName());
return new DropFunctionTask(Model.TABLE, node.getUdfName());
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/executor/ClusterConfigTaskExecutor.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/executor/ClusterConfigTaskExecutor.java
index 2f3ed1a0f2d..ff7e13416a7 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/executor/ClusterConfigTaskExecutor.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/executor/ClusterConfigTaskExecutor.java
@@ -150,7 +150,6 @@ import org.apache.iotdb.db.exception.BatchProcessException;
import org.apache.iotdb.db.exception.StorageEngineException;
import org.apache.iotdb.db.exception.metadata.PathNotExistException;
import org.apache.iotdb.db.exception.metadata.SchemaQuotaExceededException;
-import org.apache.iotdb.db.exception.sql.SemanticException;
import org.apache.iotdb.db.pipe.agent.PipeDataNodeAgent;
import org.apache.iotdb.db.protocol.client.ConfigNodeClient;
import org.apache.iotdb.db.protocol.client.ConfigNodeClientManager;
@@ -1344,19 +1343,29 @@ public class ClusterConfigTaskExecutor implements
IConfigTaskExecutor {
public SettableFuture<ConfigTaskResult> killQuery(final KillQueryStatement
killQueryStatement) {
int dataNodeId = -1;
String queryId = killQueryStatement.getQueryId();
+ SettableFuture<ConfigTaskResult> future = SettableFuture.create();
if (!killQueryStatement.isKillAll()) {
String[] splits = queryId.split("_");
try {
// We just judge the input queryId has three '_' and the DataNodeId
from it is non-negative
// here
if (splits.length != 4 || ((dataNodeId = Integer.parseInt(splits[3]))
< 0)) {
- throw new SemanticException("Please ensure your input <queryId> is
correct");
+ future.setException(
+ new IoTDBException(
+ "Please ensure your input <queryId> is correct",
+ TSStatusCode.SEMANTIC_ERROR.getStatusCode(),
+ true));
+ return future;
}
} catch (NumberFormatException e) {
- throw new SemanticException("Please ensure your input <queryId> is
correct");
+ future.setException(
+ new IoTDBException(
+ "Please ensure your input <queryId> is correct",
+ TSStatusCode.SEMANTIC_ERROR.getStatusCode(),
+ true));
+ return future;
}
}
- SettableFuture<ConfigTaskResult> future = SettableFuture.create();
try (ConfigNodeClient client =
CONFIG_NODE_CLIENT_MANAGER.borrowClient(ConfigNodeInfo.CONFIG_REGION_ID)) {
final TSStatus executionStatus = client.killQuery(queryId, dataNodeId);
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControl.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControl.java
index ad6494ab582..a9724b2636c 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControl.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControl.java
@@ -140,4 +140,12 @@ public interface AccessControl {
*/
void checkUserCanRunRelationalAuthorStatement(
String userName, RelationalAuthorStatement statement);
+
+ /**
+ * Check if user is admin user
+ *
+ * @param userName name of user
+ * @throws AccessDeniedException if not allowed
+ */
+ void checkUserIsAdmin(String userName);
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
index fd9fd8012f2..a7757603d15 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
@@ -22,12 +22,15 @@ package
org.apache.iotdb.db.queryengine.plan.relational.security;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.exception.IoTDBException;
+import org.apache.iotdb.commons.exception.auth.AccessDeniedException;
import org.apache.iotdb.db.auth.AuthorityChecker;
import
org.apache.iotdb.db.queryengine.plan.relational.metadata.QualifiedObjectName;
import
org.apache.iotdb.db.queryengine.plan.relational.sql.ast.RelationalAuthorStatement;
import org.apache.iotdb.db.queryengine.plan.relational.type.AuthorRType;
import org.apache.iotdb.rpc.TSStatusCode;
+import static org.apache.iotdb.db.auth.AuthorityChecker.ONLY_ADMIN_ALLOWED;
+
public class AccessControlImpl implements AccessControl {
private final ITableAuthChecker authChecker;
@@ -305,4 +308,11 @@ public class AccessControlImpl implements AccessControl {
break;
}
}
+
+ @Override
+ public void checkUserIsAdmin(String userName) {
+ if (!AuthorityChecker.SUPER_USER.equals(userName)) {
+ throw new AccessDeniedException(ONLY_ADMIN_ALLOWED);
+ }
+ }
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AllowAllAccessControl.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AllowAllAccessControl.java
index cea0393c7dc..7843e1601e5 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AllowAllAccessControl.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AllowAllAccessControl.java
@@ -88,4 +88,9 @@ public class AllowAllAccessControl implements AccessControl {
String userName, RelationalAuthorStatement statement) {
// allow anything
}
+
+ @Override
+ public void checkUserIsAdmin(String userName) {
+ // allow anything
+ }
}
