This is an automated email from the ASF dual-hosted git repository.
shuwenwei pushed a commit to branch AuthEnhance
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/AuthEnhance by this push:
new 466bdace1cf check author statement
466bdace1cf is described below
commit 466bdace1cf562419fea7b7e4423a27164c63416
Author: shuwenwei <[email protected]>
AuthorDate: Wed Sep 17 18:17:45 2025 +0800
check author statement
---
.../execution/config/TableConfigTaskVisitor.java | 6 ++
.../execution/config/TreeConfigTaskVisitor.java | 6 ++
.../relational/security/AccessControlImpl.java | 47 +-----------
.../security/TreeAccessCheckVisitor.java | 56 ++------------
.../sql/ast/RelationalAuthorStatement.java | 89 ++++++++++++++++++++++
.../plan/statement/sys/AuthorStatement.java | 32 ++++++++
6 files changed, 142 insertions(+), 94 deletions(-)
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java
index 212497ef856..cbfa9edbf49 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java
@@ -20,6 +20,7 @@
package org.apache.iotdb.db.queryengine.plan.execution.config;
import org.apache.iotdb.common.rpc.thrift.Model;
+import org.apache.iotdb.common.rpc.thrift.TSStatus;
import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.auth.entity.User;
import org.apache.iotdb.commons.exception.IllegalPathException;
@@ -228,6 +229,7 @@ import
org.apache.iotdb.db.queryengine.plan.statement.sys.StartRepairDataStateme
import
org.apache.iotdb.db.queryengine.plan.statement.sys.StopRepairDataStatement;
import org.apache.iotdb.db.utils.DataNodeAuthUtils;
import org.apache.iotdb.pipe.api.customizer.parameter.PipeParameters;
+import org.apache.iotdb.rpc.TSStatusCode;
import org.apache.tsfile.common.conf.TSFileConfig;
import org.apache.tsfile.enums.TSDataType;
@@ -1323,6 +1325,10 @@ public class TableConfigTaskVisitor extends
AstVisitor<IConfigTask, MPPQueryCont
@Override
protected IConfigTask visitRelationalAuthorPlan(
RelationalAuthorStatement node, MPPQueryContext context) {
+ TSStatus status =
node.checkStatementIsValid(context.getSession().getUserName());
+ if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
+ throw new SemanticException(status.getMessage());
+ }
accessControl.checkUserCanRunRelationalAuthorStatement(
context.getSession().getUserName(), node);
context.setQueryType(node.getQueryType());
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TreeConfigTaskVisitor.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TreeConfigTaskVisitor.java
index 4ea9513320c..d84b4aa7d9c 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TreeConfigTaskVisitor.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TreeConfigTaskVisitor.java
@@ -20,6 +20,7 @@
package org.apache.iotdb.db.queryengine.plan.execution.config;
import org.apache.iotdb.common.rpc.thrift.Model;
+import org.apache.iotdb.common.rpc.thrift.TSStatus;
import org.apache.iotdb.commons.auth.entity.User;
import org.apache.iotdb.commons.executable.ExecutableManager;
import org.apache.iotdb.commons.path.PartialPath;
@@ -209,6 +210,7 @@ import
org.apache.iotdb.db.queryengine.plan.statement.sys.quota.SetThrottleQuota
import
org.apache.iotdb.db.queryengine.plan.statement.sys.quota.ShowSpaceQuotaStatement;
import
org.apache.iotdb.db.queryengine.plan.statement.sys.quota.ShowThrottleQuotaStatement;
import org.apache.iotdb.db.utils.DataNodeAuthUtils;
+import org.apache.iotdb.rpc.TSStatusCode;
import org.apache.tsfile.exception.NotImplementedException;
@@ -311,6 +313,10 @@ public class TreeConfigTaskVisitor extends
StatementVisitor<IConfigTask, MPPQuer
if (statement.getAuthorType() == AuthorType.UPDATE_USER) {
visitUpdateUser(statement);
}
+ TSStatus status =
statement.checkStatementIsValid(context.getSession().getUserName());
+ if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
+ throw new SemanticException(status.getMessage());
+ }
return new AuthorizerTask(statement);
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
index 3ddd2cd04be..6f95f8337c0 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java
@@ -25,13 +25,11 @@ import
org.apache.iotdb.commons.exception.auth.AccessDeniedException;
import org.apache.iotdb.commons.path.PartialPath;
import org.apache.iotdb.commons.schema.table.InformationSchema;
import org.apache.iotdb.db.auth.AuthorityChecker;
-import org.apache.iotdb.db.exception.sql.SemanticException;
import
org.apache.iotdb.db.queryengine.plan.relational.metadata.QualifiedObjectName;
import
org.apache.iotdb.db.queryengine.plan.relational.sql.ast.RelationalAuthorStatement;
import org.apache.iotdb.db.queryengine.plan.relational.type.AuthorRType;
import org.apache.iotdb.db.queryengine.plan.statement.Statement;
import org.apache.iotdb.db.queryengine.plan.statement.StatementVisitor;
-import org.apache.iotdb.db.queryengine.plan.statement.sys.AuthorStatement;
import org.apache.iotdb.db.schemaengine.table.InformationSchemaUtils;
import org.apache.iotdb.rpc.TSStatusCode;
@@ -197,20 +195,12 @@ public class AccessControlImpl implements AccessControl {
AuthorRType type = statement.getAuthorType();
switch (type) {
case CREATE_USER:
- // admin cannot be created.
- if (AuthorityChecker.SUPER_USER.equals(statement.getUserName())) {
- throw new AccessDeniedException("Cannot create user has same name
with admin user");
- }
if (AuthorityChecker.SUPER_USER.equals(userName)) {
return;
}
authChecker.checkGlobalPrivilege(userName,
TableModelPrivilege.MANAGE_USER);
return;
case DROP_USER:
- if (AuthorityChecker.SUPER_USER.equals(statement.getUserName())
- || statement.getUserName().equals(userName)) {
- throw new AccessDeniedException("Cannot drop admin user or
yourself");
- }
if (AuthorityChecker.SUPER_USER.equals(userName)) {
return;
}
@@ -230,9 +220,6 @@ public class AccessControlImpl implements AccessControl {
}
return;
case CREATE_ROLE:
- if (AuthorityChecker.SUPER_USER.equals(statement.getRoleName())) {
- throw new AccessDeniedException("Cannot create role has same name
with admin user");
- }
if (AuthorityChecker.SUPER_USER.equals(userName)) {
return;
}
@@ -240,9 +227,6 @@ public class AccessControlImpl implements AccessControl {
return;
case DROP_ROLE:
- if (AuthorityChecker.SUPER_USER.equals(statement.getUserName())) {
- throw new AccessDeniedException("Cannot drop role with admin name");
- }
if (AuthorityChecker.SUPER_USER.equals(userName)) {
return;
}
@@ -250,9 +234,6 @@ public class AccessControlImpl implements AccessControl {
return;
case GRANT_USER_ROLE:
- if (AuthorityChecker.SUPER_USER.equals(statement.getUserName())) {
- throw new AccessDeniedException("Cannot grant role to admin");
- }
if (AuthorityChecker.SUPER_USER.equals(userName)) {
return;
}
@@ -260,9 +241,6 @@ public class AccessControlImpl implements AccessControl {
return;
case REVOKE_USER_ROLE:
- if (AuthorityChecker.SUPER_USER.equals(statement.getUserName())) {
- throw new AccessDeniedException("Cannot revoke role from admin");
- }
if (AuthorityChecker.SUPER_USER.equals(userName)) {
return;
}
@@ -290,9 +268,6 @@ public class AccessControlImpl implements AccessControl {
case GRANT_USER_ANY:
case REVOKE_ROLE_ANY:
case REVOKE_USER_ANY:
- if (AuthorityChecker.SUPER_USER.equals(statement.getUserName())) {
- throw new AccessDeniedException("Cannot grant/revoke privileges of
admin user");
- }
if (hasGlobalPrivilege(userName, PrivilegeType.SECURITY)) {
return;
}
@@ -305,9 +280,6 @@ public class AccessControlImpl implements AccessControl {
case REVOKE_ROLE_ALL:
case GRANT_USER_ALL:
case REVOKE_USER_ALL:
- if (AuthorityChecker.SUPER_USER.equals(statement.getUserName())) {
- throw new AccessDeniedException("Cannot grant/revoke all privileges
of admin user");
- }
if (hasGlobalPrivilege(userName, PrivilegeType.SECURITY)) {
return;
}
@@ -325,13 +297,6 @@ public class AccessControlImpl implements AccessControl {
case GRANT_ROLE_DB:
case REVOKE_USER_DB:
case REVOKE_ROLE_DB:
- if (AuthorityChecker.SUPER_USER.equals(statement.getUserName())) {
- throw new AccessDeniedException("Cannot grant/revoke privileges of
admin user");
- }
- if
(InformationSchema.INFORMATION_DATABASE.equals(statement.getDatabase())) {
- throw new SemanticException(
- "Cannot grant or revoke any privileges to information_schema");
- }
if (hasGlobalPrivilege(userName, PrivilegeType.SECURITY)) {
return;
}
@@ -346,13 +311,6 @@ public class AccessControlImpl implements AccessControl {
case GRANT_ROLE_TB:
case REVOKE_USER_TB:
case REVOKE_ROLE_TB:
- if (AuthorityChecker.SUPER_USER.equals(statement.getUserName())) {
- throw new AccessDeniedException("Cannot grant/revoke privileges of
admin user");
- }
- if
(InformationSchema.INFORMATION_DATABASE.equals(statement.getDatabase())) {
- throw new SemanticException(
- "Cannot grant or revoke any privileges to information_schema");
- }
if (hasGlobalPrivilege(userName, PrivilegeType.SECURITY)) {
return;
}
@@ -368,9 +326,6 @@ public class AccessControlImpl implements AccessControl {
case GRANT_ROLE_SYS:
case REVOKE_USER_SYS:
case REVOKE_ROLE_SYS:
- if (AuthorityChecker.SUPER_USER.equals(statement.getUserName())) {
- throw new AccessDeniedException("Cannot grant/revoke privileges of
admin user");
- }
if (hasGlobalPrivilege(userName, PrivilegeType.SECURITY)) {
return;
}
@@ -414,7 +369,7 @@ public class AccessControlImpl implements AccessControl {
@Override
public TSStatus checkPermissionBeforeProcess(Statement statement, String
userName) {
- if (AuthorityChecker.SUPER_USER.equals(userName) && !(statement instanceof
AuthorStatement)) {
+ if (AuthorityChecker.SUPER_USER.equals(userName)) {
return new TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
}
return treeAccessCheckVisitor.process(statement, new
TreeAccessCheckContext(userName));
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
index 6732d3cafd3..3c9ecffffeb 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
@@ -358,33 +358,14 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
AuthorType authorType = statement.getAuthorType();
switch (authorType) {
case CREATE_USER:
- if (AuthorityChecker.SUPER_USER.equals(statement.getUserName())) {
- return AuthorityChecker.getTSStatus(
- false, "Cannot create user has same name with admin user");
- }
- if (AuthorityChecker.SUPER_USER.equals(context.userName)) {
- return RpcUtils.SUCCESS_STATUS;
- }
+ case DROP_USER:
return AuthorityChecker.getTSStatus(
AuthorityChecker.checkSystemPermission(context.userName,
PrivilegeType.MANAGE_USER),
PrivilegeType.MANAGE_USER);
case UPDATE_USER:
// users can change passwords of themselves
- if (AuthorityChecker.SUPER_USER.equals(context.userName)
- || statement.getUserName().equals(context.userName)) {
- return RpcUtils.SUCCESS_STATUS;
- }
- return AuthorityChecker.getTSStatus(
- AuthorityChecker.checkSystemPermission(context.userName,
PrivilegeType.MANAGE_USER),
- PrivilegeType.MANAGE_USER);
-
- case DROP_USER:
- if (AuthorityChecker.SUPER_USER.equals(statement.getUserName())
- || statement.getUserName().equals(context.userName)) {
- return AuthorityChecker.getTSStatus(false, "Cannot drop admin user
or yourself");
- }
- if (AuthorityChecker.SUPER_USER.equals(context.userName)) {
+ if (statement.getUserName().equals(context.userName)) {
return RpcUtils.SUCCESS_STATUS;
}
return AuthorityChecker.getTSStatus(
@@ -392,16 +373,14 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
PrivilegeType.MANAGE_USER);
case LIST_USER:
- if (AuthorityChecker.SUPER_USER.equals(context.userName)
- || AuthorityChecker.checkSystemPermission(context.userName,
PrivilegeType.SECURITY)) {
+ if (AuthorityChecker.checkSystemPermission(context.userName,
PrivilegeType.SECURITY)) {
return RpcUtils.SUCCESS_STATUS;
}
statement.setUserName(context.userName);
return RpcUtils.SUCCESS_STATUS;
case LIST_USER_PRIVILEGE:
- if (AuthorityChecker.SUPER_USER.equals(context.userName)
- || context.userName.equals(statement.getUserName())) {
+ if (context.userName.equals(statement.getUserName())) {
return RpcUtils.SUCCESS_STATUS;
}
return AuthorityChecker.getTSStatus(
@@ -409,9 +388,6 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
PrivilegeType.MANAGE_USER);
case LIST_ROLE_PRIVILEGE:
- if (AuthorityChecker.SUPER_USER.equals(context.userName)) {
- return RpcUtils.SUCCESS_STATUS;
- }
if (!AuthorityChecker.checkRole(context.userName,
statement.getRoleName())) {
return AuthorityChecker.getTSStatus(
AuthorityChecker.checkSystemPermission(context.userName,
PrivilegeType.MANAGE_ROLE),
@@ -421,9 +397,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
}
case LIST_ROLE:
- if (AuthorityChecker.SUPER_USER.equals(context.userName)
- || AuthorityChecker.checkSystemPermission(
- context.userName, PrivilegeType.MANAGE_ROLE)) {
+ if (AuthorityChecker.checkSystemPermission(context.userName,
PrivilegeType.MANAGE_ROLE)) {
return RpcUtils.SUCCESS_STATUS;
}
// list roles of other user is not allowed
@@ -434,16 +408,9 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
return RpcUtils.SUCCESS_STATUS;
case CREATE_ROLE:
- if (AuthorityChecker.SUPER_USER.equals(statement.getRoleName())) {
- return AuthorityChecker.getTSStatus(
- false, "Cannot create role has same name with admin user");
- }
case DROP_ROLE:
case GRANT_USER_ROLE:
case REVOKE_USER_ROLE:
- if (AuthorityChecker.SUPER_USER.equals(context.userName)) {
- return RpcUtils.SUCCESS_STATUS;
- }
return AuthorityChecker.getTSStatus(
AuthorityChecker.checkSystemPermission(context.userName,
PrivilegeType.MANAGE_ROLE),
PrivilegeType.MANAGE_ROLE);
@@ -452,12 +419,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
case GRANT_USER:
case GRANT_ROLE:
case REVOKE_ROLE:
- if (AuthorityChecker.SUPER_USER.equals(statement.getUserName())) {
- return AuthorityChecker.getTSStatus(
- false, "Cannot grant/revoke privileges of admin user");
- }
- if (AuthorityChecker.SUPER_USER.equals(context.userName)
- || AuthorityChecker.checkSystemPermission(context.userName,
PrivilegeType.SECURITY)) {
+ if (AuthorityChecker.checkSystemPermission(context.userName,
PrivilegeType.SECURITY)) {
return RpcUtils.SUCCESS_STATUS;
}
@@ -1085,8 +1047,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
// ======================== TTL related ===========================
@Override
public TSStatus visitSetTTL(SetTTLStatement statement,
TreeAccessCheckContext context) {
- if (AuthorityChecker.SUPER_USER.equals(context.userName)
- || AuthorityChecker.checkSystemPermission(context.userName,
PrivilegeType.SYSTEM)) {
+ if (AuthorityChecker.checkSystemPermission(context.userName,
PrivilegeType.SYSTEM)) {
return SUCCEED;
}
List<PartialPath> checkedPaths = statement.getPaths();
@@ -1099,8 +1060,7 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
@Override
public TSStatus visitShowTTL(ShowTTLStatement showTTLStatement,
TreeAccessCheckContext context) {
- if (AuthorityChecker.SUPER_USER.equals(context.userName)
- || AuthorityChecker.checkSystemPermission(context.userName,
PrivilegeType.SYSTEM)) {
+ if (AuthorityChecker.checkSystemPermission(context.userName,
PrivilegeType.SYSTEM)) {
return SUCCEED;
}
return visitAuthorityInformation(showTTLStatement, context);
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/ast/RelationalAuthorStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/ast/RelationalAuthorStatement.java
index a66d6f022c0..1d4238329c2 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/ast/RelationalAuthorStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/ast/RelationalAuthorStatement.java
@@ -20,8 +20,10 @@ package
org.apache.iotdb.db.queryengine.plan.relational.sql.ast;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
import org.apache.iotdb.commons.auth.entity.PrivilegeType;
+import org.apache.iotdb.commons.schema.table.InformationSchema;
import org.apache.iotdb.commons.utils.AuthUtils;
import org.apache.iotdb.commons.utils.CommonDateTimeUtils;
+import org.apache.iotdb.db.auth.AuthorityChecker;
import org.apache.iotdb.db.queryengine.plan.analyze.QueryType;
import org.apache.iotdb.db.queryengine.plan.relational.type.AuthorRType;
import org.apache.iotdb.db.utils.DataNodeAuthUtils;
@@ -314,4 +316,91 @@ public class RelationalAuthorStatement extends Statement {
public void setOldPassword(String oldPassword) {
this.oldPassword = oldPassword;
}
+
+ public TSStatus checkStatementIsValid(String currentUser) {
+ switch (authorType) {
+ case CREATE_USER:
+ if (AuthorityChecker.SUPER_USER.equals(userName)) {
+ return AuthorityChecker.getTSStatus(
+ false, "Cannot create user has same name with admin user");
+ }
+ break;
+ case CREATE_ROLE:
+ if (AuthorityChecker.SUPER_USER.equals(roleName)) {
+ return AuthorityChecker.getTSStatus(
+ false, "Cannot create role has same name with admin user");
+ }
+ break;
+ case DROP_USER:
+ if (AuthorityChecker.SUPER_USER.equals(userName) ||
userName.equals(currentUser)) {
+ return AuthorityChecker.getTSStatus(false, "Cannot drop admin user
or yourself");
+ }
+ break;
+ case DROP_ROLE:
+ if (AuthorityChecker.SUPER_USER.equals(userName)) {
+ return AuthorityChecker.getTSStatus(false, "Cannot drop role with
admin name");
+ }
+ break;
+ case GRANT_ROLE_ANY:
+ case GRANT_USER_ANY:
+ case REVOKE_ROLE_ANY:
+ case REVOKE_USER_ANY:
+ case GRANT_USER_SYS:
+ case GRANT_ROLE_SYS:
+ case REVOKE_USER_SYS:
+ if (AuthorityChecker.SUPER_USER.equals(userName)) {
+ return AuthorityChecker.getTSStatus(
+ false, "Cannot grant/revoke privileges of admin user");
+ }
+ break;
+ case GRANT_USER_ROLE:
+ if (AuthorityChecker.SUPER_USER.equals(userName)) {
+ return AuthorityChecker.getTSStatus(false, "Cannot grant role to
admin");
+ }
+ break;
+ case REVOKE_USER_ROLE:
+ if (AuthorityChecker.SUPER_USER.equals(userName)) {
+ return AuthorityChecker.getTSStatus(false, "Cannot revoke role from
admin");
+ }
+ break;
+ case GRANT_ROLE_ALL:
+ case REVOKE_ROLE_ALL:
+ case GRANT_USER_ALL:
+ case REVOKE_USER_ALL:
+ if (AuthorityChecker.SUPER_USER.equals(userName)) {
+ return AuthorityChecker.getTSStatus(
+ false, "Cannot grant/revoke all privileges of admin user");
+ }
+ break;
+ case GRANT_USER_DB:
+ case GRANT_ROLE_DB:
+ case REVOKE_USER_DB:
+ case REVOKE_ROLE_DB:
+ if (AuthorityChecker.SUPER_USER.equals(userName)) {
+ return AuthorityChecker.getTSStatus(
+ false, "Cannot grant/revoke privileges/role of admin user");
+ }
+ if (InformationSchema.INFORMATION_DATABASE.equals(database)) {
+ return AuthorityChecker.getTSStatus(
+ false, "Cannot grant or revoke any privileges to
information_schema");
+ }
+ break;
+ case GRANT_USER_TB:
+ case GRANT_ROLE_TB:
+ case REVOKE_USER_TB:
+ case REVOKE_ROLE_TB:
+ if (AuthorityChecker.SUPER_USER.equals(userName)) {
+ return AuthorityChecker.getTSStatus(
+ false, "Cannot grant/revoke privileges/role of admin user");
+ }
+ if (InformationSchema.INFORMATION_DATABASE.equals(database)) {
+ return AuthorityChecker.getTSStatus(
+ false, "Cannot grant or revoke any privileges to
information_schema");
+ }
+ break;
+ default:
+ break;
+ }
+ return RpcUtils.SUCCESS_STATUS;
+ }
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/AuthorStatement.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/AuthorStatement.java
index 7ffdba24b4d..7cf0950e45d 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/AuthorStatement.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/AuthorStatement.java
@@ -23,6 +23,7 @@ import org.apache.iotdb.common.rpc.thrift.TSStatus;
import org.apache.iotdb.commons.path.PartialPath;
import org.apache.iotdb.commons.utils.AuthUtils;
import org.apache.iotdb.commons.utils.CommonDateTimeUtils;
+import org.apache.iotdb.db.auth.AuthorityChecker;
import org.apache.iotdb.db.queryengine.plan.analyze.QueryType;
import org.apache.iotdb.db.queryengine.plan.statement.AuthorType;
import org.apache.iotdb.db.queryengine.plan.statement.IConfigStatement;
@@ -270,4 +271,35 @@ public class AuthorStatement extends Statement implements
IConfigStatement {
}
return null;
}
+
+ public TSStatus checkStatementIsValid(String currentUser) {
+ switch (authorType) {
+ case CREATE_USER:
+ if (AuthorityChecker.SUPER_USER.equals(userName)) {
+ return AuthorityChecker.getTSStatus(
+ false, "Cannot create user has same name with admin user");
+ }
+ break;
+ case DROP_USER:
+ if (AuthorityChecker.SUPER_USER.equals(userName) ||
userName.equals(currentUser)) {
+ return AuthorityChecker.getTSStatus(false, "Cannot drop admin user
or yourself");
+ }
+ case CREATE_ROLE:
+ if (AuthorityChecker.SUPER_USER.equals(roleName)) {
+ return AuthorityChecker.getTSStatus(
+ false, "Cannot create role has same name with admin user");
+ }
+ break;
+ case REVOKE_USER:
+ case GRANT_USER:
+ case GRANT_ROLE:
+ case REVOKE_ROLE:
+ if (AuthorityChecker.SUPER_USER.equals(userName)) {
+ return AuthorityChecker.getTSStatus(
+ false, "Cannot grant/revoke privileges of admin user");
+ }
+ break;
+ }
+ return RpcUtils.SUCCESS_STATUS;
+ }
}
