This is an automated email from the ASF dual-hosted git repository.
yongzao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/master by this push:
new 5621279d5e2 Audit SQL 'COUNT DATABASE' (#16569)
5621279d5e2 is described below
commit 5621279d5e291ec1a3a6562e36ee66197a74aec9
Author: Yongzao <[email protected]>
AuthorDate: Mon Oct 13 13:35:45 2025 +0800
Audit SQL 'COUNT DATABASE' (#16569)
---
.../iotdb/db/it/audit/IoTDBAuditLogBasicIT.java | 34 +++++++++++++++-------
.../security/TreeAccessCheckVisitor.java | 14 +++++++--
2 files changed, 35 insertions(+), 13 deletions(-)
diff --git
a/integration-test/src/test/java/org/apache/iotdb/db/it/audit/IoTDBAuditLogBasicIT.java
b/integration-test/src/test/java/org/apache/iotdb/db/it/audit/IoTDBAuditLogBasicIT.java
index ba5a9676ea3..f12dd4ca66e 100644
---
a/integration-test/src/test/java/org/apache/iotdb/db/it/audit/IoTDBAuditLogBasicIT.java
+++
b/integration-test/src/test/java/org/apache/iotdb/db/it/audit/IoTDBAuditLogBasicIT.java
@@ -277,12 +277,12 @@ public class IoTDBAuditLogBasicIT {
"127.0.0.1",
"OBJECT_AUTHENTICATION",
"QUERY",
- "[MANAGE_DATABASE]",
- "OBJECT",
+ "[SYSTEM]",
+ "GLOBAL",
"true",
"[root.__audit]",
"SHOW DATABASES root.__audit",
- "User root (ID=0) requests authority on object root.__audit
with result true"),
+ "User root (ID=0) requests authority on object
[root.__audit] with result true"),
Arrays.asList(
"node_1",
"u_0",
@@ -1305,7 +1305,7 @@ public class IoTDBAuditLogBasicIT {
Arrays.asList(
"CREATE DATABASE root.test",
"show databases",
- // "COUNT databases",
+ "COUNT databases",
"set ttl to root.test.** INF",
"create timeseries root.test.d1.s1 with datatype=BOOLEAN",
"create timeseries root.test.d1.s2 with datatype=INT64",
@@ -1425,11 +1425,11 @@ public class IoTDBAuditLogBasicIT {
Arrays.asList(
"root.__audit.log.node_1.u_0",
"true",
- "OBJECT",
- "[MANAGE_DATABASE]",
+ "GLOBAL",
+ "[SYSTEM]",
"[root.__audit]",
"QUERY",
- "User root (ID=0) requests authority on object root.__audit
with result true",
+ "User root (ID=0) requests authority on object
[root.__audit] with result true",
"SHOW DATABASES root.__audit",
"OBJECT_AUTHENTICATION",
"127.0.0.1",
@@ -1566,15 +1566,29 @@ public class IoTDBAuditLogBasicIT {
Arrays.asList(
"root.__audit.log.node_1.u_0",
"true",
- "OBJECT",
- "[MANAGE_DATABASE]",
+ "GLOBAL",
+ "[SYSTEM]",
"[root.**]",
"QUERY",
- "User root (ID=0) requests authority on object root.** with
result true",
+ "User root (ID=0) requests authority on object [root.**]
with result true",
"show databases",
"OBJECT_AUTHENTICATION",
"127.0.0.1",
"root")),
+ // Count database
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "[SYSTEM]",
+ "[root.**]",
+ "QUERY",
+ "User root (ID=0) requests authority on object [root.**]
with result true",
+ "COUNT databases",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root")),
// Set TTL to database
new AuditLogSet(
Arrays.asList(
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
index 287b2942ccb..d939a85d7b4 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
@@ -943,11 +943,10 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
showDatabaseStatement.getPaths().stream()
.distinct()
.collect(Collectors.toList())
- .toString())
- .setPrivilegeType(PrivilegeType.MANAGE_DATABASE);
+ .toString());
if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
recordObjectAuthenticationAuditLog(
- context.setResult(true), () ->
showDatabaseStatement.getPathPattern().toString());
+ context.setPrivilegeType(PrivilegeType.SYSTEM).setResult(true),
context::getDatabase);
return SUCCEED;
}
setCanSeeAuditDB(showDatabaseStatement, context);
@@ -957,7 +956,16 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
@Override
public TSStatus visitCountStorageGroup(
CountDatabaseStatement countDatabaseStatement, TreeAccessCheckContext
context) {
+ context
+ .setAuditLogOperation(AuditLogOperation.QUERY)
+ .setDatabase(
+ countDatabaseStatement.getPaths().stream()
+ .distinct()
+ .collect(Collectors.toList())
+ .toString());
if (AuthorityChecker.SUPER_USER.equals(context.getUsername())) {
+ recordObjectAuthenticationAuditLog(
+ context.setPrivilegeType(PrivilegeType.SYSTEM).setResult(true),
context::getDatabase);
return SUCCEED;
}
setCanSeeAuditDB(countDatabaseStatement, context);
