This is an automated email from the ASF dual-hosted git repository.
shuwenwei pushed a commit to branch AuthEnhance
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/AuthEnhance by this push:
new 8af058ae3b5 add admin privileges
8af058ae3b5 is described below
commit 8af058ae3b59d7cb52ae32c2cb4015b96dcc735d
Author: shuwenwei <[email protected]>
AuthorDate: Tue Sep 16 16:28:32 2025 +0800
add admin privileges
---
.../antlr4/org/apache/iotdb/db/qp/sql/IdentifierParser.g4 | 1 +
.../antlr4/org/apache/iotdb/db/qp/sql/IoTDBSqlParser.g4 | 2 ++
.../java/org/apache/iotdb/db/auth/AuthorityChecker.java | 13 ++++++++++++-
.../apache/iotdb/commons/auth/user/BasicUserManager.java | 3 ---
.../apache/iotdb/db/relational/grammar/sql/RelationalSql.g4 | 6 ++++--
5 files changed, 19 insertions(+), 6 deletions(-)
diff --git
a/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/IdentifierParser.g4
b/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/IdentifierParser.g4
index 2d8f2fa1ce7..418c3b047e2 100644
---
a/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/IdentifierParser.g4
+++
b/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/IdentifierParser.g4
@@ -209,6 +209,7 @@ keyWords
| SCHEMA
| SCHEMA_REPLICATION_FACTOR
| SCHEMA_REGION_GROUP_NUM
+ | SECURITY
| SELECT
| SERIESSLOTID
| SESSION
diff --git
a/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/IoTDBSqlParser.g4
b/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/IoTDBSqlParser.g4
index ee913dd0b95..3095adba3f6 100644
---
a/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/IoTDBSqlParser.g4
+++
b/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/IoTDBSqlParser.g4
@@ -1132,6 +1132,8 @@ privilegeValue
: ALL
| READ
| WRITE
+ | SYSTEM
+ | SECURITY
| PRIVILEGE_VALUE
;
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
index 504e0250186..c30a47c205d 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
@@ -28,6 +28,7 @@ import org.apache.iotdb.commons.path.PathPatternTree;
import org.apache.iotdb.commons.schema.column.ColumnHeader;
import org.apache.iotdb.commons.schema.column.ColumnHeaderConstant;
import org.apache.iotdb.commons.service.metric.PerformanceOverviewMetrics;
+import org.apache.iotdb.commons.utils.AuthUtils;
import org.apache.iotdb.confignode.rpc.thrift.TAuthorizerResp;
import org.apache.iotdb.confignode.rpc.thrift.TDBPrivilege;
import org.apache.iotdb.confignode.rpc.thrift.TPathPrivilege;
@@ -173,7 +174,10 @@ public class AuthorityChecker {
return hasPermission
? SUCCEED
: new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
- .setMessage(NO_PERMISSION_PROMOTION + neededPrivilege);
+ .setMessage(
+ NO_PERMISSION_PROMOTION
+ + getSatisfyAnyNeededPrivilegeString(
+
AuthUtils.getAllPrivilegesContainingCurrentPrivilege(neededPrivilege)));
}
private static String getSatisfyAnyNeededPrivilegeString(List<PrivilegeType>
privileges) {
@@ -396,6 +400,9 @@ public class AuthorityChecker {
private static void appendPriBuilder(
String name, String scope, Set<Integer> priv, Set<Integer> grantOpt,
TsBlockBuilder builder) {
for (int i : priv) {
+ if (isIgnoredPrivilege(i)) {
+ continue;
+ }
builder.getColumnBuilder(0).writeBinary(new Binary(name,
TSFileConfig.STRING_CHARSET));
builder.getColumnBuilder(1).writeBinary(new Binary(scope,
TSFileConfig.STRING_CHARSET));
builder
@@ -408,6 +415,10 @@ public class AuthorityChecker {
}
}
+ private static boolean isIgnoredPrivilege(int i) {
+ return PrivilegeType.values()[i] == PrivilegeType.AUDIT;
+ }
+
private static void appendEntryInfo(String name, TRoleResp resp,
TsBlockBuilder builder) {
// System privilege.
appendPriBuilder(name, "", resp.getSysPriSet(),
resp.getSysPriSetGrantOpt(), builder);
diff --git
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java
index 3ac91f653ab..296cd0fa6a4 100644
---
a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java
+++
b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java
@@ -82,9 +82,6 @@ public abstract class BasicUserManager extends
BasicRoleManager {
PartialPath rootPath = new PartialPath(IoTDBConstant.PATH_ROOT + ".**");
PathPrivilege pathPri = new PathPrivilege(rootPath);
for (PrivilegeType item : PrivilegeType.values()) {
- if (item.isAdminPrivilege()) {
- continue;
- }
if (item.isSystemPrivilege()) {
admin.grantSysPrivilege(item, true);
} else if (item.isRelationalPrivilege()) {
diff --git
a/iotdb-core/relational-grammar/src/main/antlr4/org/apache/iotdb/db/relational/grammar/sql/RelationalSql.g4
b/iotdb-core/relational-grammar/src/main/antlr4/org/apache/iotdb/db/relational/grammar/sql/RelationalSql.g4
index cf1103182d7..38a461c93f6 100644
---
a/iotdb-core/relational-grammar/src/main/antlr4/org/apache/iotdb/db/relational/grammar/sql/RelationalSql.g4
+++
b/iotdb-core/relational-grammar/src/main/antlr4/org/apache/iotdb/db/relational/grammar/sql/RelationalSql.g4
@@ -765,6 +765,8 @@ objectScope
systemPrivilege
: MANAGE_USER
| MANAGE_ROLE
+ | SYSTEM
+ | SECURITY
;
objectPrivilege
@@ -1372,7 +1374,7 @@ authorizationUser
nonReserved
// IMPORTANT: this rule must only contain tokens. Nested rules are not
supported. See SqlParser.exitNonReserved
- : ABSENT | ADD | ADMIN | AFTER | ALL | ANALYZE | ANY | ARRAY | ASC | AT |
ATTRIBUTE | AUTHORIZATION
+ : ABSENT | ADD | ADMIN | AFTER | ALL | ANALYZE | ANY | ARRAY | ASC | AT |
ATTRIBUTE | AUDIT | AUTHORIZATION
| BEGIN | BERNOULLI | BOTH
| CACHE | CALL | CALLED | CASCADE | CATALOG | CATALOGS | CHAR | CHARACTER
| CHARSET | CLEAR | CLUSTER | CLUSTERID | COLUMN | COLUMNS | COMMENT | COMMIT |
COMMITTED | CONDITION | CONDITIONAL | CONFIGNODES | CONFIGNODE | CONFIGURATION
| CONNECTOR | CONSTANT | COPARTITION | COUNT | CURRENT
| DATA | DATABASE | DATABASES | DATANODE | DATANODES | DATASET | DATE |
DAY | DECLARE | DEFAULT | DEFINE | DEFINER | DENY | DESC | DESCRIPTOR |
DETAILS| DETERMINISTIC | DEVICES | DISTRIBUTED | DO | DOUBLE
@@ -1391,7 +1393,7 @@ nonReserved
| QUERIES | QUERY | QUOTES
| RANGE | READ | READONLY | RECONSTRUCT | REFRESH | REGION | REGIONID |
REGIONS | REMOVE | RENAME | REPAIR | REPEAT | REPEATABLE | REPLACE | RESET |
RESPECT | RESTRICT | RETURN | RETURNING | RETURNS | REVOKE | ROLE | ROLES |
ROLLBACK | ROOT | ROW | ROWS | RPR_FIRST | RPR_LAST | RUNNING
| SERIESSLOTID | SCALAR | SCHEMA | SCHEMAS | SECOND | SECURITY | SEEK |
SERIALIZABLE | SESSION | SET | SETS
- | SHOW | SINK | SOME | SOURCE | START | STATS | STOP | SUBSCRIPTION |
SUBSCRIPTIONS | SUBSET | SUBSTRING | SYSTEM
+ | SECURITY | SHOW | SINK | SOME | SOURCE | START | STATS | STOP |
SUBSCRIPTION | SUBSCRIPTIONS | SUBSET | SUBSTRING | SYSTEM
| TABLES | TABLESAMPLE | TAG | TEXT | TEXT_STRING | TIES | TIME |
TIMEPARTITION | TIMER | TIMER_XL | TIMESERIES | TIMESLOTID | TIMESTAMP | TO |
TOPIC | TOPICS | TRAILING | TRANSACTION | TRUNCATE | TRY_CAST | TYPE
| UNBOUNDED | UNCOMMITTED | UNCONDITIONAL | UNIQUE | UNKNOWN | UNMATCHED |
UNTIL | UPDATE | URI | USE | USED | USER | UTF16 | UTF32 | UTF8
| VALIDATE | VALUE | VARIABLES | VARIATION | VERBOSE | VERSION | VIEW
