This is an automated email from the ASF dual-hosted git repository.
yongzao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/master by this push:
new e626e8bd7e5 make with-grant-option optinal (#15854)
e626e8bd7e5 is described below
commit e626e8bd7e5ab8ea6ad3293efefbdc89fab5790f
Author: jintao zhu <[email protected]>
AuthorDate: Tue Aug 26 09:58:14 2025 +0800
make with-grant-option optinal (#15854)
---
.../it/env/cluster/config/MppCommonConfig.java | 6 ++
.../env/cluster/config/MppSharedCommonConfig.java | 7 ++
.../it/env/remote/config/RemoteCommonConfig.java | 5 ++
.../org/apache/iotdb/itbase/env/CommonConfig.java | 2 +
.../iotdb/db/it/auth/IoTDBGrantOptionIT.java | 81 ++++++++++++++++++++++
.../confignode/conf/SystemPropertiesUtils.java | 12 +++-
.../db/queryengine/plan/parser/ASTVisitor.java | 11 +++
.../plan/relational/sql/parser/AstBuilder.java | 6 ++
.../apache/iotdb/commons/conf/CommonConfig.java | 10 +++
.../iotdb/commons/conf/CommonDescriptor.java | 4 ++
10 files changed, 143 insertions(+), 1 deletion(-)
diff --git
a/integration-test/src/main/java/org/apache/iotdb/it/env/cluster/config/MppCommonConfig.java
b/integration-test/src/main/java/org/apache/iotdb/it/env/cluster/config/MppCommonConfig.java
index c9732c9cade..6ac73025a4e 100644
---
a/integration-test/src/main/java/org/apache/iotdb/it/env/cluster/config/MppCommonConfig.java
+++
b/integration-test/src/main/java/org/apache/iotdb/it/env/cluster/config/MppCommonConfig.java
@@ -109,6 +109,12 @@ public class MppCommonConfig extends MppBaseConfig
implements CommonConfig {
return this;
}
+ @Override
+ public CommonConfig setEnableGrantOption(boolean enableGrantOption) {
+ setProperty("enable_grant_option", String.valueOf(enableGrantOption));
+ return this;
+ }
+
@Override
public CommonConfig setUdfMemoryBudgetInMB(float
udfCollectorMemoryBudgetInMB) {
// udf_memory_budget_in_mb
diff --git
a/integration-test/src/main/java/org/apache/iotdb/it/env/cluster/config/MppSharedCommonConfig.java
b/integration-test/src/main/java/org/apache/iotdb/it/env/cluster/config/MppSharedCommonConfig.java
index 226271db7ce..1ad18e854cc 100644
---
a/integration-test/src/main/java/org/apache/iotdb/it/env/cluster/config/MppSharedCommonConfig.java
+++
b/integration-test/src/main/java/org/apache/iotdb/it/env/cluster/config/MppSharedCommonConfig.java
@@ -89,6 +89,13 @@ public class MppSharedCommonConfig implements CommonConfig {
return this;
}
+ @Override
+ public CommonConfig setEnableGrantOption(boolean enableGrantOption) {
+ cnConfig.setEnableGrantOption(enableGrantOption);
+ dnConfig.setEnableGrantOption(enableGrantOption);
+ return this;
+ }
+
@Override
public CommonConfig setConfigRegionRatisRPCLeaderElectionTimeoutMaxMs(int
maxMs) {
cnConfig.setConfigRegionRatisRPCLeaderElectionTimeoutMaxMs(maxMs);
diff --git
a/integration-test/src/main/java/org/apache/iotdb/it/env/remote/config/RemoteCommonConfig.java
b/integration-test/src/main/java/org/apache/iotdb/it/env/remote/config/RemoteCommonConfig.java
index b4f37d08b5d..47c9c03dc74 100644
---
a/integration-test/src/main/java/org/apache/iotdb/it/env/remote/config/RemoteCommonConfig.java
+++
b/integration-test/src/main/java/org/apache/iotdb/it/env/remote/config/RemoteCommonConfig.java
@@ -64,6 +64,11 @@ public class RemoteCommonConfig implements CommonConfig {
return this;
}
+ @Override
+ public CommonConfig setEnableGrantOption(boolean enableGrantOption) {
+ return this;
+ }
+
@Override
public CommonConfig setConfigRegionRatisRPCLeaderElectionTimeoutMaxMs(int
maxMs) {
return this;
diff --git
a/integration-test/src/main/java/org/apache/iotdb/itbase/env/CommonConfig.java
b/integration-test/src/main/java/org/apache/iotdb/itbase/env/CommonConfig.java
index dd42d36e827..c6e8f997739 100644
---
a/integration-test/src/main/java/org/apache/iotdb/itbase/env/CommonConfig.java
+++
b/integration-test/src/main/java/org/apache/iotdb/itbase/env/CommonConfig.java
@@ -40,6 +40,8 @@ public interface CommonConfig {
CommonConfig setEncryptKeyPath(String encryptKeyPath);
+ CommonConfig setEnableGrantOption(boolean enableGrantOption);
+
CommonConfig setConfigRegionRatisRPCLeaderElectionTimeoutMaxMs(int maxMs);
CommonConfig setUdfMemoryBudgetInMB(float udfCollectorMemoryBudgetInMB);
diff --git
a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBGrantOptionIT.java
b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBGrantOptionIT.java
new file mode 100644
index 00000000000..e4f8a9dd142
--- /dev/null
+++
b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBGrantOptionIT.java
@@ -0,0 +1,81 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.iotdb.db.it.auth;
+
+import org.apache.iotdb.it.env.EnvFactory;
+import org.apache.iotdb.it.framework.IoTDBTestRunner;
+import org.apache.iotdb.itbase.category.ClusterIT;
+import org.apache.iotdb.itbase.category.LocalStandaloneIT;
+
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Ignore;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.junit.runner.RunWith;
+
+import java.sql.Connection;
+import java.sql.SQLException;
+import java.sql.Statement;
+
+@Ignore
+@RunWith(IoTDBTestRunner.class)
+@Category({LocalStandaloneIT.class, ClusterIT.class})
+public class IoTDBGrantOptionIT {
+ @Before
+ public void setUp() throws Exception {
+
EnvFactory.getEnv().getConfig().getCommonConfig().setEnableGrantOption(false);
+ EnvFactory.getEnv().initClusterEnvironment();
+ }
+
+ @After
+ public void tearDown() throws Exception {
+ EnvFactory.getEnv().cleanClusterEnvironment();
+ }
+
+ @Test
+ public void grantTest() throws SQLException {
+ try (Connection adminCon = EnvFactory.getEnv().getConnection();
+ Statement adminStmt = adminCon.createStatement()) {
+ adminStmt.execute("CREATE USER tempuser 'temppw'");
+ adminStmt.execute("CREATE USER tempuser2 'temppw2'");
+ // with grant option is disabled.
+ Assert.assertThrows(
+ SQLException.class,
+ () -> adminStmt.execute("GRANT ALL ON root.** TO USER tempuser WITH
GRANT OPTION"));
+ adminStmt.execute("GRANT ALL ON root.** TO USER tempuser");
+ try (Connection userCon = EnvFactory.getEnv().getConnection("tempuser",
"temppw");
+ Statement userStmt = userCon.createStatement()) {
+ userStmt.execute("CREATE DATABASE root.a");
+ userStmt.execute("CREATE TIMESERIES root.a.b WITH
DATATYPE=INT32,ENCODING=PLAIN");
+ userStmt.execute("INSERT INTO root.a(timestamp, b) VALUES (100, 100)");
+ userStmt.execute("SELECT * from root.a");
+ // tempuser can not grant privileges to other users
+ Assert.assertThrows(
+ SQLException.class, () -> userStmt.execute("GRANT ALL ON root.**
TO USER tempuser2"));
+ // with grant option is disabled
+ Assert.assertThrows(
+ SQLException.class,
+ () -> userStmt.execute("GRANT ALL ON root.** TO USER tempuser2
WITH GRANT OPTION"));
+ }
+ }
+ }
+}
diff --git
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/conf/SystemPropertiesUtils.java
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/conf/SystemPropertiesUtils.java
index aab10d7ace4..3b2b51d42fd 100644
---
a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/conf/SystemPropertiesUtils.java
+++
b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/conf/SystemPropertiesUtils.java
@@ -202,6 +202,15 @@ public class SystemPropertiesUtils {
COMMON_CONFIG.setTimePartitionInterval(timePartitionInterval);
}
}
+ if (systemProperties.getProperty("enable_grant_option", null) != null) {
+ boolean enableGrantOption =
+
Boolean.parseBoolean(systemProperties.getProperty("enable_grant_option"));
+ if (enableGrantOption != COMMON_CONFIG.getEnableGrantOption()) {
+ LOGGER.warn(
+ format, "enable_grant_option",
COMMON_CONFIG.getEnableGrantOption(), enableGrantOption);
+ COMMON_CONFIG.setEnableGrantOption(enableGrantOption);
+ }
+ }
}
/**
@@ -273,7 +282,8 @@ public class SystemPropertiesUtils {
systemProperties.setProperty("schema_engine_mode",
COMMON_CONFIG.getSchemaEngineMode());
systemProperties.setProperty(
"tag_attribute_total_size",
String.valueOf(COMMON_CONFIG.getTagAttributeTotalSize()));
-
+ systemProperties.setProperty(
+ "enable_grant_option",
String.valueOf(COMMON_CONFIG.getEnableGrantOption()));
systemPropertiesHandler.overwrite(systemProperties);
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/parser/ASTVisitor.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/parser/ASTVisitor.java
index 26830571f4b..8b9f65d553f 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/parser/ASTVisitor.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/parser/ASTVisitor.java
@@ -2477,7 +2477,13 @@ public class ASTVisitor extends
IoTDBSqlParserBaseVisitor<Statement> {
authorStatement.setUserName(parseIdentifier(ctx.userName.getText()));
authorStatement.setPrivilegeList(priviParsed);
authorStatement.setNodeNameList(nodeNameList);
+ if (!CommonDescriptor.getInstance().getConfig().getEnableGrantOption()
+ && ctx.grantOpt() != null) {
+ throw new SemanticException(
+ "Grant Option is disabled, Please check the parameter
enable_grant_option.");
+ }
authorStatement.setGrantOpt(ctx.grantOpt() != null);
+
return authorStatement;
}
@@ -2498,6 +2504,11 @@ public class ASTVisitor extends
IoTDBSqlParserBaseVisitor<Statement> {
authorStatement.setRoleName(parseIdentifier(ctx.roleName.getText()));
authorStatement.setPrivilegeList(priviParsed);
authorStatement.setNodeNameList(nodeNameList);
+ if (!CommonDescriptor.getInstance().getConfig().getEnableGrantOption()
+ && ctx.grantOpt() != null) {
+ throw new SemanticException(
+ "Grant Option is disabled, Please check the parameter
enable_grant_option.");
+ }
authorStatement.setGrantOpt(ctx.grantOpt() != null);
return authorStatement;
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/parser/AstBuilder.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/parser/AstBuilder.java
index a69eead9a40..2f0d0995578 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/parser/AstBuilder.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/parser/AstBuilder.java
@@ -22,6 +22,7 @@ package
org.apache.iotdb.db.queryengine.plan.relational.sql.parser;
import org.apache.iotdb.common.rpc.thrift.TConsensusGroupType;
import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.cluster.NodeStatus;
+import org.apache.iotdb.commons.conf.CommonDescriptor;
import org.apache.iotdb.commons.path.PartialPath;
import org.apache.iotdb.commons.schema.cache.CacheClearOptions;
import org.apache.iotdb.commons.schema.table.InformationSchema;
@@ -1808,6 +1809,11 @@ public class AstBuilder extends
RelationalSqlBaseVisitor<Node> {
String name;
toUser = ctx.holderType().getText().equalsIgnoreCase("user");
name = (((Identifier) visit(ctx.holderName)).getValue());
+ if (!CommonDescriptor.getInstance().getConfig().getEnableGrantOption()
+ && ctx.grantOpt() != null) {
+ throw new SemanticException(
+ "Grant Option is disabled, Please check the parameter
enable_grant_option.");
+ }
boolean grantOption = ctx.grantOpt() != null;
boolean toTable;
Set<PrivilegeType> privileges;
diff --git
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java
index 1d7691cc35e..b7b8bade89d 100644
---
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java
+++
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java
@@ -69,6 +69,8 @@ public class CommonConfig {
private String adminPassword = "root";
+ private Boolean enableGrantOption = true;
+
private String oldUserFolder =
IoTDBConstant.DN_DEFAULT_DATA_DIR
+ File.separator
@@ -495,6 +497,14 @@ public class CommonConfig {
return oldUserFolder;
}
+ public void setEnableGrantOption(Boolean enableGrantOption) {
+ this.enableGrantOption = enableGrantOption;
+ }
+
+ public Boolean getEnableGrantOption() {
+ return enableGrantOption;
+ }
+
public String getOldRoleFolder() {
return oldRoleFolder;
}
diff --git
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java
index 2aa05216a92..f309e3e457a 100644
---
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java
+++
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java
@@ -90,6 +90,10 @@ public class CommonDescriptor {
"iotdb_server_encrypt_decrypt_provider_parameter",
config.getEncryptDecryptProviderParameter()));
+ config.setEnableGrantOption(
+ Boolean.parseBoolean(
+ properties.getProperty("enable_grant_option",
String.valueOf("true"))));
+
String[] tierTTLStr = new String[config.getTierTTLInMs().length];
for (int i = 0; i < tierTTLStr.length; ++i) {
tierTTLStr[i] = String.valueOf(config.getTierTTLInMs()[i]);
