This is an automated email from the ASF dual-hosted git repository.
yongzao pushed a commit to branch audit-log-patch-again
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/audit-log-patch-again by this
push:
new f79989353a6 finish
f79989353a6 is described below
commit f79989353a62aff7f1696080ab535952ba1fba98
Author: Yongzao <[email protected]>
AuthorDate: Sat Oct 11 22:08:56 2025 +0800
finish
---
.../org/apache/iotdb/db/it/audit/AuditLogSet.java | 5 +-
.../iotdb/db/it/audit/IoTDBAuditLogBasicIT.java | 2003 ++++++++++----------
.../security/TreeAccessCheckVisitor.java | 9 +-
3 files changed, 1053 insertions(+), 964 deletions(-)
diff --git
a/integration-test/src/test/java/org/apache/iotdb/db/it/audit/AuditLogSet.java
b/integration-test/src/test/java/org/apache/iotdb/db/it/audit/AuditLogSet.java
index b21b46582d5..9fff64a9007 100644
---
a/integration-test/src/test/java/org/apache/iotdb/db/it/audit/AuditLogSet.java
+++
b/integration-test/src/test/java/org/apache/iotdb/db/it/audit/AuditLogSet.java
@@ -19,6 +19,7 @@
package org.apache.iotdb.db.it.audit;
+import com.google.common.collect.HashMultiset;
import org.junit.Assert;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -36,12 +37,12 @@ public class AuditLogSet {
private static final Logger LOGGER =
LoggerFactory.getLogger(AuditLogSet.class);
private final int logCnt;
- private final Set<List<String>> auditLogSet;
+ private final HashMultiset<List<String>> auditLogSet;
@SafeVarargs
public AuditLogSet(List<String>... auditLogs) {
logCnt = auditLogs.length;
- auditLogSet = Stream.of(auditLogs).collect(Collectors.toSet());
+ auditLogSet =
Stream.of(auditLogs).collect(Collectors.toCollection(HashMultiset::create));
}
public void containAuditLog(ResultSet resultSet, Set<Integer>
indexForContain, int columnCnt)
diff --git
a/integration-test/src/test/java/org/apache/iotdb/db/it/audit/IoTDBAuditLogBasicIT.java
b/integration-test/src/test/java/org/apache/iotdb/db/it/audit/IoTDBAuditLogBasicIT.java
index d1493ee8ed5..e423b511da4 100644
---
a/integration-test/src/test/java/org/apache/iotdb/db/it/audit/IoTDBAuditLogBasicIT.java
+++
b/integration-test/src/test/java/org/apache/iotdb/db/it/audit/IoTDBAuditLogBasicIT.java
@@ -35,18 +35,16 @@ import org.junit.Before;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.junit.runner.RunWith;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
-import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Set;
import java.util.StringJoiner;
+import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import java.util.stream.Stream;
@@ -58,7 +56,8 @@ import java.util.stream.Stream;
@Category({LocalStandaloneIT.class})
public class IoTDBAuditLogBasicIT {
- private static final Logger LOGGER =
LoggerFactory.getLogger(IoTDBAuditLogBasicIT.class);
+ private static final long ENSURE_AUDIT_LOG_SLEEP_IN_MS = 250;
+
private static final List<String> AUDIT_TABLE_COLUMNS =
Arrays.asList(
AbstractAuditLogger.AUDIT_LOG_NODE_ID,
@@ -140,13 +139,13 @@ public class IoTDBAuditLogBasicIT {
// Ensure the session conns in test env are closed completely,
// in order to generate logout audit log
// TODO: Optimize this func after the close func of connection is optimized
- Thread.sleep(1000);
+ TimeUnit.MILLISECONDS.sleep(ENSURE_AUDIT_LOG_SLEEP_IN_MS);
((ClusterTestConnection) connection).writeConnection.close();
- Thread.sleep(1000);
+ TimeUnit.MILLISECONDS.sleep(ENSURE_AUDIT_LOG_SLEEP_IN_MS);
for (NodeConnection conn : ((ClusterTestConnection)
connection).readConnections) {
- Thread.sleep(1000);
+ TimeUnit.MILLISECONDS.sleep(ENSURE_AUDIT_LOG_SLEEP_IN_MS);
conn.close();
- Thread.sleep(1000);
+ TimeUnit.MILLISECONDS.sleep(ENSURE_AUDIT_LOG_SLEEP_IN_MS);
}
}
@@ -155,7 +154,7 @@ public class IoTDBAuditLogBasicIT {
"CREATE DATABASE test",
"USE test",
// "SHOW CURRENT_DATABASE",
- // "SHOW DATABASES",
+ "SHOW DATABASES",
"ALTER DATABASE test SET PROPERTIES TTL='INF'",
"CREATE TABLE table1(t1 STRING TAG, a1 STRING ATTRIBUTE, s1 STRING
FIELD)",
"SHOW TABLES",
@@ -489,7 +488,7 @@ public class IoTDBAuditLogBasicIT {
"true",
"__audit",
"SHOW DATABASES",
- "User root (ID=0) requests authority on object test with
result true")),
+ "User root (ID=0) requests authority on object __audit with
result true")),
// Alter database
new AuditLogSet(
Arrays.asList(
@@ -1305,7 +1304,7 @@ public class IoTDBAuditLogBasicIT {
private static final List<String> TREE_MODEL_AUDIT_SQLS_USER_ROOT =
Arrays.asList(
"CREATE DATABASE root.test",
- // "show databases",
+ "show databases",
// "COUNT databases",
"set ttl to root.test.** INF",
"create timeseries root.test.d1.s1 with datatype=BOOLEAN",
@@ -1329,9 +1328,8 @@ public class IoTDBAuditLogBasicIT {
"LIST PRIVILEGES OF USER user1",
"insert into root.test.d1(timestamp,s1,s2,s3) values(1,true,1,'1')",
"insert into root.test.d2(timestamp,s1,s2,s3) aligned
values(1,true,1,'1')",
- // TODO: Enable testing select for normal user
- // "select * from root.test.d1 order by time",
- // "select * from root.test.d2 order by time",
+ "select * from root.test.d1 order by time",
+ "select * from root.test.d2 order by time",
"delete from root.test.d1.s3",
"delete from root.test.d2.s3");
private static final List<String> TREE_MODEL_AUDIT_SQLS_USER_USER2 =
@@ -1342,11 +1340,8 @@ public class IoTDBAuditLogBasicIT {
"list role",
"insert into root.test.d1(timestamp,s1,s2,s3) values(1,true,1,'1')",
"insert into root.test.d2(timestamp,s1,s2,s3) aligned
values(1,true,1,'1')",
- "insert into root.test.d1(timestamp,s1,s2,s3) values(1,false,2,'2')",
- "insert into root.test.d2(timestamp,s1,s2,s3) aligned
values(1,false,2,'2')",
- // TODO: Enable testing select for normal user
- // "select * from root.test.d1 order by time",
- // "select * from root.test.d2 order by time",
+ "select * from root.test.d1 order by time",
+ "select * from root.test.d2 order by time",
"delete from root.test.d1.s3",
"delete from root.test.d2.s3");
private static final List<String> TREE_MODEL_AUDIT_SQLS_USER_ROOT_FINAL =
@@ -1359,943 +1354,1048 @@ public class IoTDBAuditLogBasicIT {
"DROP USER user2",
"DROP ROLE role1",
"DELETE DATABASE root.test");
- private static final List<List<String>> TREE_MODEL_AUDIT_FIELDS =
+ private static final List<AuditLogSet> TREE_MODEL_AUDIT_FIELDS =
Arrays.asList(
// Start audit service
- Arrays.asList(
- "root.__audit.log.node_1.u_none",
- "true",
- "GLOBAL",
- "[AUDIT]",
- "null",
- "CONTROL",
- "Successfully start the Audit service with configurations
(auditableOperationType [DDL, DML, QUERY, CONTROL], auditableOperationLevel
GLOBAL, auditableOperationResult SUCCESS,FAIL)",
- "null",
- "CHANGE_AUDIT_OPTION",
- "null",
- "null"),
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "null",
- "",
- "CONTROL",
- "IoTDB: Login status: Login successfully. User root (ID=0),
opens Session",
- "",
- "LOGIN",
- "127.0.0.1",
- "root"),
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "null",
- "",
- "CONTROL",
- "is closing",
- "",
- "LOGOUT",
- "127.0.0.1",
- "root"),
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "null",
- "",
- "CONTROL",
- "IoTDB: Login status: Login successfully. User root (ID=0),
opens Session",
- "",
- "LOGIN",
- "127.0.0.1",
- "root"),
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "null",
- "",
- "CONTROL",
- "IoTDB: Login status: Login successfully. User root (ID=0),
opens Session",
- "",
- "LOGIN",
- "127.0.0.1",
- "root"),
- // Show audit database
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "OBJECT",
- "[MANAGE_DATABASE]",
- "[root.__audit]",
- "QUERY",
- "User root (ID=0) requests authority on object root.__audit with
result true",
- "SHOW DATABASES root.__audit",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "null",
- "",
- "CONTROL",
- "is closing",
- "",
- "LOGOUT",
- "127.0.0.1",
- "root"),
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "null",
- "",
- "CONTROL",
- "is closing",
- "",
- "LOGOUT",
- "127.0.0.1",
- "root"),
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "null",
- "",
- "CONTROL",
- "IoTDB: Login status: Login successfully. User root (ID=0),
opens Session",
- "",
- "LOGIN",
- "127.0.0.1",
- "root"),
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "null",
- "",
- "CONTROL",
- "IoTDB: Login status: Login successfully. User root (ID=0),
opens Session",
- "",
- "LOGIN",
- "127.0.0.1",
- "root"),
- // Desc audit table
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "OBJECT",
- "[READ_SCHEMA]",
- "__audit",
- "QUERY",
- "User root (ID=0) requests authority on object audit_log with
result true",
- "DESC __audit.audit_log",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "null",
- "",
- "CONTROL",
- "is closing",
- "",
- "LOGOUT",
- "127.0.0.1",
- "root"),
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "null",
- "",
- "CONTROL",
- "is closing",
- "",
- "LOGOUT",
- "127.0.0.1",
- "root"),
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_none",
+ "true",
+ "GLOBAL",
+ "[AUDIT]",
+ "null",
+ "CONTROL",
+ "Successfully start the Audit service with configurations
(auditableOperationType [DDL, DML, QUERY, CONTROL], auditableOperationLevel
GLOBAL, auditableOperationResult SUCCESS,FAIL)",
+ "null",
+ "CHANGE_AUDIT_OPTION",
+ "null",
+ "null")),
+ // Environment setup login/logout
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "null",
+ "",
+ "CONTROL",
+ "IoTDB: Login status: Login successfully. User root (ID=0),
opens Session",
+ "",
+ "LOGIN",
+ "127.0.0.1",
+ "root"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "null",
+ "",
+ "CONTROL",
+ "is closing",
+ "",
+ "LOGOUT",
+ "127.0.0.1",
+ "root")),
+ // Show audit log database
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "null",
+ "",
+ "CONTROL",
+ "IoTDB: Login status: Login successfully. User root (ID=0),
opens Session",
+ "",
+ "LOGIN",
+ "127.0.0.1",
+ "root"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "null",
+ "",
+ "CONTROL",
+ "IoTDB: Login status: Login successfully. User root (ID=0),
opens Session",
+ "",
+ "LOGIN",
+ "127.0.0.1",
+ "root"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "OBJECT",
+ "[MANAGE_DATABASE]",
+ "[root.__audit]",
+ "QUERY",
+ "User root (ID=0) requests authority on object root.__audit
with result true",
+ "SHOW DATABASES root.__audit",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "null",
+ "",
+ "CONTROL",
+ "is closing",
+ "",
+ "LOGOUT",
+ "127.0.0.1",
+ "root"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "null",
+ "",
+ "CONTROL",
+ "is closing",
+ "",
+ "LOGOUT",
+ "127.0.0.1",
+ "root")),
+ // Desc audit log table view
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "null",
+ "",
+ "CONTROL",
+ "IoTDB: Login status: Login successfully. User root (ID=0),
opens Session",
+ "",
+ "LOGIN",
+ "127.0.0.1",
+ "root"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "null",
+ "",
+ "CONTROL",
+ "IoTDB: Login status: Login successfully. User root (ID=0),
opens Session",
+ "",
+ "LOGIN",
+ "127.0.0.1",
+ "root"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "OBJECT",
+ "[READ_SCHEMA]",
+ "__audit",
+ "QUERY",
+ "User root (ID=0) requests authority on object audit_log
with result true",
+ "DESC __audit.audit_log",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "null",
+ "",
+ "CONTROL",
+ "is closing",
+ "",
+ "LOGOUT",
+ "127.0.0.1",
+ "root"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "null",
+ "",
+ "CONTROL",
+ "is closing",
+ "",
+ "LOGOUT",
+ "127.0.0.1",
+ "root")),
// =============================Audit user
root=============================
// Root login, twice for both read and write connections
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "null",
- "",
- "CONTROL",
- "IoTDB: Login status: Login successfully. User root (ID=0),
opens Session",
- "",
- "LOGIN",
- "127.0.0.1",
- "root"),
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "null",
- "",
- "CONTROL",
- "IoTDB: Login status: Login successfully. User root (ID=0),
opens Session",
- "",
- "LOGIN",
- "127.0.0.1",
- "root"),
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "null",
+ "",
+ "CONTROL",
+ "IoTDB: Login status: Login successfully. User root (ID=0),
opens Session",
+ "",
+ "LOGIN",
+ "127.0.0.1",
+ "root"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "null",
+ "",
+ "CONTROL",
+ "IoTDB: Login status: Login successfully. User root (ID=0),
opens Session",
+ "",
+ "LOGIN",
+ "127.0.0.1",
+ "root")),
// Create database
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "OBJECT",
- "[MANAGE_DATABASE]",
- "root.test",
- "DDL",
- "User root (ID=0) requests authority on object root.test with
result true",
- "CREATE DATABASE root.test",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "OBJECT",
+ "[MANAGE_DATABASE]",
+ "root.test",
+ "DDL",
+ "User root (ID=0) requests authority on object root.test
with result true",
+ "CREATE DATABASE root.test",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root")),
+ // Show database
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "OBJECT",
+ "[MANAGE_DATABASE]",
+ "[root.**]",
+ "QUERY",
+ "User root (ID=0) requests authority on object root.** with
result true",
+ "show databases",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root")),
// Set TTL to database
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "[SYSTEM]",
- "null",
- "DDL",
- "User root (ID=0) requests authority on object [root.test.**]
with result true",
- "set ttl to root.test.** INF",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "[SYSTEM]",
+ "null",
+ "DDL",
+ "User root (ID=0) requests authority on object
[root.test.**] with result true",
+ "set ttl to root.test.** INF",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root")),
// Create (aligned) timeseries TODO: fill database if necessary,
same as follows
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "OBJECT",
- "[WRITE_SCHEMA]",
- "null",
- "DDL",
- "User root (ID=0) requests authority on object [root.test.d1.s1]
with result true",
- "create timeseries root.test.d1.s1 with datatype=BOOLEAN",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "OBJECT",
- "[WRITE_SCHEMA]",
- "null",
- "DDL",
- "User root (ID=0) requests authority on object [root.test.d1.s2]
with result true",
- "create timeseries root.test.d1.s2 with datatype=INT64",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "OBJECT",
- "[WRITE_SCHEMA]",
- "null",
- "DDL",
- "User root (ID=0) requests authority on object [root.test.d1.s3]
with result true",
- "create timeseries root.test.d1.s3 with datatype=TEXT",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "OBJECT",
- "[WRITE_SCHEMA]",
- "null",
- "DDL",
- "User root (ID=0) requests authority on object [root.test.d2.s1,
root.test.d2.s2, root.test.d2.s3] with result true",
- "CREATE ALIGNED TIMESERIES root.test.d2(s1 BOOLEAN, s2 INT64, s3
TEXT)",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "OBJECT",
+ "[WRITE_SCHEMA]",
+ "null",
+ "DDL",
+ "User root (ID=0) requests authority on object
[root.test.d1.s1] with result true",
+ "create timeseries root.test.d1.s1 with datatype=BOOLEAN",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "OBJECT",
+ "[WRITE_SCHEMA]",
+ "null",
+ "DDL",
+ "User root (ID=0) requests authority on object
[root.test.d1.s2] with result true",
+ "create timeseries root.test.d1.s2 with datatype=INT64",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "OBJECT",
+ "[WRITE_SCHEMA]",
+ "null",
+ "DDL",
+ "User root (ID=0) requests authority on object
[root.test.d1.s3] with result true",
+ "create timeseries root.test.d1.s3 with datatype=TEXT",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "OBJECT",
+ "[WRITE_SCHEMA]",
+ "null",
+ "DDL",
+ "User root (ID=0) requests authority on object
[root.test.d2.s1, root.test.d2.s2, root.test.d2.s3] with result true",
+ "CREATE ALIGNED TIMESERIES root.test.d2(s1 BOOLEAN, s2
INT64, s3 TEXT)",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root")),
// Show timeseries
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "OBJECT",
- "[READ_DATA, READ_SCHEMA]",
- "null",
- "QUERY",
- "User root (ID=0) requests authority on object [root.**] with
result true",
- "show timeseries",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "OBJECT",
+ "[READ_DATA, READ_SCHEMA]",
+ "null",
+ "QUERY",
+ "User root (ID=0) requests authority on object [root.**]
with result true",
+ "show timeseries",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root")),
// Count timeseries
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "OBJECT",
- "[READ_SCHEMA]",
- "null",
- "QUERY",
- "User root (ID=0) requests authority on object [root.test] with
result true",
- "COUNT TIMESERIES root.test",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "OBJECT",
+ "[READ_SCHEMA]",
+ "null",
+ "QUERY",
+ "User root (ID=0) requests authority on object [root.test]
with result true",
+ "COUNT TIMESERIES root.test",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root")),
// Alter timeseries
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "OBJECT",
- "[WRITE_SCHEMA]",
- "null",
- "DDL",
- "User root (ID=0) requests authority on object [root.test.d1.s1]
with result true",
- "ALTER timeseries root.test.d1.s1 ADD TAGS tag3=v3, tag4=v4",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "OBJECT",
- "[WRITE_SCHEMA]",
- "null",
- "DDL",
- "User root (ID=0) requests authority on object [root.test.d2.s1]
with result true",
- "ALTER timeseries root.test.d2.s1 ADD TAGS tag3=v3, tag4=v4",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
- // Create user
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "[MANAGE_USER]",
- "null",
- "DDL",
- "User root (ID=0) requests authority on object user1 with result
true",
- "CREATE USER user1 ...",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "[MANAGE_USER]",
- "null",
- "DDL",
- "User root (ID=0) requests authority on object user2 with result
true",
- "CREATE USER user2 ...",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
- // Create role
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "[MANAGE_ROLE]",
- "null",
- "DDL",
- "User root (ID=0) requests authority on object role1 with result
true",
- "CREATE ROLE role1",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
- // Grant privileges to user
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "[SECURITY]",
- "null",
- "DDL",
- "User root (ID=0) requests authority on object user1 with result
true",
- "GRANT READ_DATA, WRITE_DATA ON root.test.** TO USER user1",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
- // Grant privileges to role
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "[SECURITY]",
- "null",
- "DDL",
- "User root (ID=0) requests authority on object role1 with result
true",
- "GRANT READ ON root.test.** TO ROLE role1",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
- // Grant role to user
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "[MANAGE_ROLE]",
- "null",
- "DDL",
- "User root (ID=0) requests authority on object user: user2,
role: role1 with result true",
- "GRANT ROLE role1 TO user2",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
- // List user, the target object is null since the root can list all
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "[MANAGE_USER]",
- "null",
- "QUERY",
- "User root (ID=0) requests authority on object null with result
true",
- "list user",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
- // List role, the target object is null since the root can list all
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "[MANAGE_ROLE]",
- "null",
- "QUERY",
- "User root (ID=0) requests authority on object null with result
true",
- "list role",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
- // Root logout, twice for both read and write connections
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "null",
- "",
- "CONTROL",
- "is closing",
- "",
- "LOGOUT",
- "127.0.0.1",
- "root"),
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "null",
- "",
- "CONTROL",
- "is closing",
- "",
- "LOGOUT",
- "127.0.0.1",
- "root"),
- // =============================Audit user
user1=============================
- // User1 login, twice for both read and write connections
- Arrays.asList(
- "root.__audit.log.node_1.u_10000",
- "true",
- "GLOBAL",
- "null",
- "",
- "CONTROL",
- "IoTDB: Login status: Login successfully. User user1 (ID=10000),
opens Session",
- "",
- "LOGIN",
- "127.0.0.1",
- "user1"),
- Arrays.asList(
- "root.__audit.log.node_1.u_10000",
- "true",
- "GLOBAL",
- "null",
- "",
- "CONTROL",
- "IoTDB: Login status: Login successfully. User user1 (ID=10000),
opens Session",
- "",
- "LOGIN",
- "127.0.0.1",
- "user1"),
- // List privilege of user1
- Arrays.asList(
- "root.__audit.log.node_1.u_10000",
- "true",
- "GLOBAL",
- "null",
- "null",
- "QUERY",
- "User user1 (ID=10000) requests authority on object user1 with
result true",
- "LIST PRIVILEGES OF USER user1",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "user1"),
- // Insert into (aligned) timeseries
- Arrays.asList(
- "root.__audit.log.node_1.u_10000",
- "true",
- "OBJECT",
- "[WRITE_DATA]",
- "null",
- "DML",
- "User user1 (ID=10000) requests authority on object
[root.test.d1.s1, root.test.d1.s2, root.test.d1.s3] with result true",
- "insert into root.test.d1(timestamp,s1,s2,s3) values(...)",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "user1"),
- Arrays.asList(
- "root.__audit.log.node_1.u_10000",
- "true",
- "OBJECT",
- "[WRITE_DATA]",
- "null",
- "DML",
- "User user1 (ID=10000) requests authority on object
[root.test.d2.s1, root.test.d2.s2, root.test.d2.s3] with result true",
- "insert into root.test.d2(timestamp,s1,s2,s3) aligned
values(...)",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "user1"),
- // Select timeseries data
- Arrays.asList(
- "root.__audit.log.node_1.u_10000",
- "true",
- "OBJECT",
- "[READ_DATA]",
- "null",
- "QUERY",
- "User user1 (ID=10000) requests authority on object
[root.test.d1.*] with result true",
- "select * from root.test.d1 order by time",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "user1"),
- Arrays.asList(
- "root.__audit.log.node_1.u_10000",
- "true",
- "OBJECT",
- "[READ_DATA]",
- "null",
- "QUERY",
- "User user1 (ID=10000) requests authority on object
[root.test.d2.*] with result true",
- "select * from root.test.d2 order by time",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "user1"),
- // Delete timeseries data
- Arrays.asList(
- "root.__audit.log.node_1.u_10000",
- "true",
- "OBJECT",
- "[WRITE_DATA]",
- "null",
- "DML",
- "User root (ID=0) requests authority on object [root.test.d1.s3]
with result true",
- "delete from root.test.d1.s3",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "user1"),
- Arrays.asList(
- "root.__audit.log.node_1.u_10000",
- "true",
- "OBJECT",
- "[WRITE_DATA]",
- "null",
- "DML",
- "User root (ID=0) requests authority on object [root.test.d2.s3]
with result true",
- "delete from root.test.d2.s3",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "user1"),
- // user1 logout, twice for both read and write connections
- Arrays.asList(
- "root.__audit.log.node_1.u_10000",
- "true",
- "GLOBAL",
- "null",
- "",
- "CONTROL",
- "is closing",
- "",
- "LOGOUT",
- "127.0.0.1",
- "user1"),
- Arrays.asList(
- "root.__audit.log.node_1.u_10000",
- "true",
- "GLOBAL",
- "null",
- "",
- "CONTROL",
- "is closing",
- "",
- "LOGOUT",
- "127.0.0.1",
- "user1"),
- // =============================Audit user
user2=============================
- // User2 login, twice for both read and write connections
- Arrays.asList(
- "root.__audit.log.node_1.u_10001",
- "true",
- "GLOBAL",
- "null",
- "",
- "CONTROL",
- "IoTDB: Login status: Login successfully. User user2 (ID=10001),
opens Session",
- "",
- "LOGIN",
- "127.0.0.1",
- "user2"),
- Arrays.asList(
- "root.__audit.log.node_1.u_10001",
- "true",
- "GLOBAL",
- "null",
- "",
- "CONTROL",
- "IoTDB: Login status: Login successfully. User user2 (ID=10001),
opens Session",
- "",
- "LOGIN",
- "127.0.0.1",
- "user2"),
- // List privilege of user2
- Arrays.asList(
- "root.__audit.log.node_1.u_10000",
- "true",
- "GLOBAL",
- "null",
- "null",
- "QUERY",
- "User user1 (ID=10000) requests authority on object user1 with
result true",
- "LIST PRIVILEGES OF USER user1",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "user1"),
- // List privilege of role1
- Arrays.asList(
- "root.__audit.log.node_1.u_10000",
- "true",
- "GLOBAL",
- "null",
- "null",
- "QUERY",
- "User user1 (ID=10000) requests authority on object user1 with
result true",
- "LIST PRIVILEGES OF USER user1",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "user1"),
- // List user, can only see him/herself
- Arrays.asList(
- "root.__audit.log.node_1.u_10000",
- "true",
- "GLOBAL",
- "null",
- "null",
- "QUERY",
- "User user1 (ID=10000) requests authority on object user1 with
result true",
- "LIST PRIVILEGES OF USER user1",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "user1"),
- // List role, can only see his/hers roles
- Arrays.asList(
- "root.__audit.log.node_1.u_10000",
- "true",
- "GLOBAL",
- "null",
- "null",
- "QUERY",
- "User user1 (ID=10000) requests authority on object user1 with
result true",
- "LIST PRIVILEGES OF USER user1",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "user1"),
- // Insert into (aligned) timeseries
- Arrays.asList(
- "root.__audit.log.node_1.u_10000",
- "true",
- "OBJECT",
- "[WRITE_DATA]",
- "null",
- "DML",
- "User user1 (ID=10000) requests authority on object
[root.test.d1.s1, root.test.d1.s2, root.test.d1.s3] with result true",
- "insert into root.test.d1(timestamp,s1,s2,s3) values(...)",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "user1"),
- Arrays.asList(
- "root.__audit.log.node_1.u_10000",
- "true",
- "OBJECT",
- "[WRITE_DATA]",
- "null",
- "DML",
- "User user1 (ID=10000) requests authority on object
[root.test.d2.s1, root.test.d2.s2, root.test.d2.s3] with result true",
- "insert into root.test.d2(timestamp,s1,s2,s3) aligned
values(...)",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "user1"),
- // Select timeseries data
- Arrays.asList(
- "root.__audit.log.node_1.u_10000",
- "true",
- "OBJECT",
- "[READ_DATA]",
- "null",
- "QUERY",
- "User user1 (ID=10000) requests authority on object
[root.test.d1.*] with result true",
- "select * from root.test.d1 order by time",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "user1"),
- Arrays.asList(
- "root.__audit.log.node_1.u_10000",
- "true",
- "OBJECT",
- "[READ_DATA]",
- "null",
- "QUERY",
- "User user1 (ID=10000) requests authority on object
[root.test.d2.*] with result true",
- "select * from root.test.d2 order by time",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "user1"),
- // Delete timeseries data
- Arrays.asList(
- "root.__audit.log.node_1.u_10000",
- "true",
- "OBJECT",
- "[WRITE_DATA]",
- "null",
- "DML",
- "User root (ID=0) requests authority on object [root.test.d1.s3]
with result true",
- "delete from root.test.d1.s3",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "user1"),
- Arrays.asList(
- "root.__audit.log.node_1.u_10000",
- "true",
- "OBJECT",
- "[WRITE_DATA]",
- "null",
- "DML",
- "User root (ID=0) requests authority on object [root.test.d2.s3]
with result true",
- "delete from root.test.d2.s3",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "user1"),
- // user1 logout, twice for both read and write connections
- Arrays.asList(
- "root.__audit.log.node_1.u_10000",
- "true",
- "GLOBAL",
- "null",
- "",
- "CONTROL",
- "is closing",
- "",
- "LOGOUT",
- "127.0.0.1",
- "user1"),
- Arrays.asList(
- "root.__audit.log.node_1.u_10000",
- "true",
- "GLOBAL",
- "null",
- "",
- "CONTROL",
- "is closing",
- "",
- "LOGOUT",
- "127.0.0.1",
- "user1"),
- // =============================Audit user
user2=============================
- // User2 login, twice for both read and write connections
- Arrays.asList(
- "root.__audit.log.node_1.u_10001",
- "true",
- "GLOBAL",
- "null",
- "",
- "CONTROL",
- "IoTDB: Login status: Login successfully. User user2 (ID=10001),
opens Session",
- "",
- "LOGIN",
- "127.0.0.1",
- "user2"),
- Arrays.asList(
- "root.__audit.log.node_1.u_10001",
- "true",
- "GLOBAL",
- "null",
- "",
- "CONTROL",
- "IoTDB: Login status: Login successfully. User user2 (ID=10001),
opens Session",
- "",
- "LOGIN",
- "127.0.0.1",
- "user2"),
- // Drop role
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "[MANAGE_ROLE]",
- "null",
- "DDL",
- "User root (ID=0) requests authority on object role1 with result
true",
- "DROP ROLE role1",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
- // Drop user
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "[MANAGE_USER]",
- "null",
- "DDL",
- "User root (ID=0) requests authority on object user1 with result
true",
- "DROP USER user1",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
- // Insert into (aligned) timeseries
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "OBJECT",
- "[WRITE_DATA]",
- "null",
- "DML",
- "User root (ID=0) requests authority on object [root.test.d1.s2]
with result true",
- "INSERT INTO root.test.d1(timestamp,s2) VALUES(...)",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "OBJECT",
- "[WRITE_DATA]",
- "null",
- "DML",
- "User root (ID=0) requests authority on object [root.test.d2.s1,
root.test.d2.s2] with result true",
- "INSERT INTO root.test.d2(timestamp,s1,s2) ALIGNED VALUES(...)",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
- // Select all timeseries
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "OBJECT",
- "[READ_DATA]",
- "null",
- "QUERY",
- "User root (ID=0) requests authority on object [root.test.**]
with result true",
- "SELECT ** FROM root.test",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
- // Delete timeseries data
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "OBJECT",
- "[WRITE_DATA]",
- "null",
- "DML",
- "User root (ID=0) requests authority on object [root.test.d2]
with result true",
- "DELETE FROM root.test.d2",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
- // Drop timeseries
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "OBJECT",
- "[WRITE_SCHEMA]",
- "null",
- "DDL",
- "User root (ID=0) requests authority on object [root.test.d1.s2]
with result true",
- "DROP TIMESERIES root.test.d1.s2",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
- // Set TTL to devices
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "GLOBAL",
- "[SYSTEM]",
- "null",
- "DDL",
- "User root (ID=0) requests authority on object [root.test.**]
with result true",
- "set ttl to root.test.** 360000",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
- // Delete database
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "OBJECT",
- "[MANAGE_DATABASE]",
- "[root.test]",
- "DDL",
- "User root (ID=0) requests authority on object [root.test] with
result true",
- "DELETE DATABASE root.test",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"),
- // Select audit log
- Arrays.asList(
- "root.__audit.log.node_1.u_0",
- "true",
- "OBJECT",
- "[READ_DATA]",
- "null",
- "QUERY",
- "User root (ID=0) requests authority on object
[root.__audit.log.**.*] with result true",
- "SELECT * FROM root.__audit.log.** ORDER BY TIME ALIGN BY
DEVICE",
- "OBJECT_AUTHENTICATION",
- "127.0.0.1",
- "root"));
- private static final Set<Integer> TREE_INDEX_FOR_CONTAIN =
- Stream.of(7).collect(Collectors.toSet());
-
- @Test
- public void basicAuditLogTestForTreeModel() throws SQLException,
InterruptedException {
- Connection connection =
EnvFactory.getEnv().getConnection(BaseEnv.TREE_SQL_DIALECT);
- Statement statement = connection.createStatement();
- for (String sql : TREE_MODEL_AUDIT_SQLS_USER_ROOT) {
- statement.execute(sql);
- }
- closeConnectionCompletely(connection);
- connection =
- EnvFactory.getEnv().getConnection("user1", "IoTDB@2025abc",
BaseEnv.TREE_SQL_DIALECT);
- statement = connection.createStatement();
- for (String sql : TREE_MODEL_AUDIT_SQLS_USER_USER1) {
- statement.execute(sql);
- }
- closeConnectionCompletely(connection);
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "OBJECT",
+ "[WRITE_SCHEMA]",
+ "null",
+ "DDL",
+ "User root (ID=0) requests authority on object
[root.test.d1.s1] with result true",
+ "ALTER timeseries root.test.d1.s1 ADD TAGS tag3=v3, tag4=v4",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "OBJECT",
+ "[WRITE_SCHEMA]",
+ "null",
+ "DDL",
+ "User root (ID=0) requests authority on object
[root.test.d2.s1] with result true",
+ "ALTER timeseries root.test.d2.s1 ADD TAGS tag3=v3, tag4=v4",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root")),
+ // Create user/role
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "[MANAGE_USER]",
+ "null",
+ "DDL",
+ "User root (ID=0) requests authority on object user1 with
result true",
+ "CREATE USER user1 ...",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "[MANAGE_USER]",
+ "null",
+ "DDL",
+ "User root (ID=0) requests authority on object user2 with
result true",
+ "CREATE USER user2 ...",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "[MANAGE_ROLE]",
+ "null",
+ "DDL",
+ "User root (ID=0) requests authority on object role1 with
result true",
+ "CREATE ROLE role1",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root")),
+ // Grant privileges: pri->user, pri->role, role->user
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "[SECURITY]",
+ "null",
+ "DDL",
+ "User root (ID=0) requests authority on object user1 with
result true",
+ "GRANT READ_DATA, WRITE_DATA ON root.test.** TO USER user1",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "[SECURITY]",
+ "null",
+ "DDL",
+ "User root (ID=0) requests authority on object role1 with
result true",
+ "GRANT READ ON root.test.** TO ROLE role1",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "[MANAGE_ROLE]",
+ "null",
+ "DDL",
+ "User root (ID=0) requests authority on object user: user2,
role: role1 with result true",
+ "GRANT ROLE role1 TO user2",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root")),
+ // List user/role, the target object is null since the root can list
all,
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "[MANAGE_USER]",
+ "null",
+ "QUERY",
+ "User root (ID=0) requests authority on object null with
result true",
+ "list user",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "[MANAGE_ROLE]",
+ "null",
+ "QUERY",
+ "User root (ID=0) requests authority on object null with
result true",
+ "list role",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root")),
+ // Root logout, twice for both read and write connections
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "null",
+ "",
+ "CONTROL",
+ "is closing",
+ "",
+ "LOGOUT",
+ "127.0.0.1",
+ "root"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "null",
+ "",
+ "CONTROL",
+ "is closing",
+ "",
+ "LOGOUT",
+ "127.0.0.1",
+ "root")),
+ // =============================Audit user
user1=============================
+ // User1 login, twice for both read and write connections
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10000",
+ "true",
+ "GLOBAL",
+ "null",
+ "",
+ "CONTROL",
+ "IoTDB: Login status: Login successfully. User user1
(ID=10000), opens Session",
+ "",
+ "LOGIN",
+ "127.0.0.1",
+ "user1"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10000",
+ "true",
+ "GLOBAL",
+ "null",
+ "",
+ "CONTROL",
+ "IoTDB: Login status: Login successfully. User user1
(ID=10000), opens Session",
+ "",
+ "LOGIN",
+ "127.0.0.1",
+ "user1")),
+ // List privilege of user1
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10000",
+ "true",
+ "GLOBAL",
+ "null",
+ "null",
+ "QUERY",
+ "User user1 (ID=10000) requests authority on object user1
with result true",
+ "LIST PRIVILEGES OF USER user1",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "user1")),
+ // Insert into (aligned) timeseries
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10000",
+ "true",
+ "OBJECT",
+ "[WRITE_DATA]",
+ "null",
+ "DML",
+ "User user1 (ID=10000) requests authority on object
[root.test.d1.s1, root.test.d1.s2, root.test.d1.s3] with result true",
+ "insert into root.test.d1(timestamp,s1,s2,s3) values(...)",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "user1"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10000",
+ "true",
+ "OBJECT",
+ "[WRITE_DATA]",
+ "null",
+ "DML",
+ "User user1 (ID=10000) requests authority on object
[root.test.d2.s1, root.test.d2.s2, root.test.d2.s3] with result true",
+ "insert into root.test.d2(timestamp,s1,s2,s3) aligned
values(...)",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "user1")),
+ // Select timeseries data
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10000",
+ "false",
+ "GLOBAL",
+ "[AUDIT]",
+ "null",
+ "QUERY",
+ "User user1 (ID=10000) requests authority on object
root.__audit with result false",
+ "select * from root.test.d1 order by time",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "user1"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10000",
+ "true",
+ "OBJECT",
+ "[READ_DATA]",
+ "null",
+ "QUERY",
+ "User user1 (ID=10000) requests authority on object
[root.test.d1.*] with result true",
+ "select * from root.test.d1 order by time",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "user1"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10000",
+ "false",
+ "GLOBAL",
+ "[AUDIT]",
+ "null",
+ "QUERY",
+ "User user1 (ID=10000) requests authority on object
root.__audit with result false",
+ "select * from root.test.d2 order by time",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "user1"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10000",
+ "true",
+ "OBJECT",
+ "[READ_DATA]",
+ "null",
+ "QUERY",
+ "User user1 (ID=10000) requests authority on object
[root.test.d2.*] with result true",
+ "select * from root.test.d2 order by time",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "user1")),
+ // Delete timeseries data
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10000",
+ "true",
+ "OBJECT",
+ "[WRITE_DATA]",
+ "null",
+ "DML",
+ "User user1 (ID=10000) requests authority on object
[root.test.d1.s3] with result true",
+ "delete from root.test.d1.s3",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "user1"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10000",
+ "true",
+ "OBJECT",
+ "[WRITE_DATA]",
+ "null",
+ "DML",
+ "User user1 (ID=10000) requests authority on object
[root.test.d2.s3] with result true",
+ "delete from root.test.d2.s3",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "user1")),
+ // user1 logout, twice for both read and write connections
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10000",
+ "true",
+ "GLOBAL",
+ "null",
+ "",
+ "CONTROL",
+ "is closing",
+ "",
+ "LOGOUT",
+ "127.0.0.1",
+ "user1"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10000",
+ "true",
+ "GLOBAL",
+ "null",
+ "",
+ "CONTROL",
+ "is closing",
+ "",
+ "LOGOUT",
+ "127.0.0.1",
+ "user1")),
+ // =============================Audit user
user2=============================
+ // User2 login, twice for both read and write connections
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10001",
+ "true",
+ "GLOBAL",
+ "null",
+ "",
+ "CONTROL",
+ "IoTDB: Login status: Login successfully. User user2
(ID=10001), opens Session",
+ "",
+ "LOGIN",
+ "127.0.0.1",
+ "user2"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10001",
+ "true",
+ "GLOBAL",
+ "null",
+ "",
+ "CONTROL",
+ "IoTDB: Login status: Login successfully. User user2
(ID=10001), opens Session",
+ "",
+ "LOGIN",
+ "127.0.0.1",
+ "user2")),
+ // List privilege of user2/role1
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10001",
+ "true",
+ "GLOBAL",
+ "null",
+ "null",
+ "QUERY",
+ "User user2 (ID=10001) requests authority on object user2
with result true",
+ "LIST PRIVILEGES OF USER user2",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "user2"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10001",
+ "true",
+ "GLOBAL",
+ "null",
+ "null",
+ "QUERY",
+ "User user2 (ID=10001) requests authority on object user2
with result true",
+ "LIST PRIVILEGES OF ROLE role1",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "user2")),
+ // List user/role, can only see him/herself
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10001",
+ "false",
+ "GLOBAL",
+ "[MANAGE_USER]",
+ "null",
+ "QUERY",
+ "User user2 (ID=10001) requests authority on object null
with result false",
+ "list user",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "user2"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10001",
+ "true",
+ "GLOBAL",
+ "[null]",
+ "null",
+ "QUERY",
+ "User user2 (ID=10001) requests authority on object user2
with result true",
+ "list user",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "user2"),
+ // List role, can only see his/hers roles
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10001",
+ "false",
+ "GLOBAL",
+ "[MANAGE_ROLE]",
+ "null",
+ "QUERY",
+ "User user2 (ID=10001) requests authority on object null
with result false",
+ "list role",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "user2"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10001",
+ "true",
+ "GLOBAL",
+ "[null]",
+ "null",
+ "QUERY",
+ "User user2 (ID=10001) requests authority on object user2
with result true",
+ "list role",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "user2")),
+ // Insert into (aligned) timeseries failed
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10001",
+ "false",
+ "OBJECT",
+ "[WRITE_DATA]",
+ "null",
+ "DML",
+ "User user2 (ID=10001) requests authority on object
[root.test.d1.s1, root.test.d1.s2, root.test.d1.s3] with result false",
+ "insert into root.test.d1(timestamp,s1,s2,s3) values(...)",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "user2"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10001",
+ "false",
+ "OBJECT",
+ "[WRITE_DATA]",
+ "null",
+ "DML",
+ "User user2 (ID=10001) requests authority on object
[root.test.d2.s1, root.test.d2.s2, root.test.d2.s3] with result false",
+ "insert into root.test.d2(timestamp,s1,s2,s3) aligned
values(...)",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "user2")),
+ // Select timeseries data
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10001",
+ "false",
+ "GLOBAL",
+ "[AUDIT]",
+ "null",
+ "QUERY",
+ "User user2 (ID=10001) requests authority on object
root.__audit with result false",
+ "select * from root.test.d1 order by time",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "user2"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10001",
+ "true",
+ "OBJECT",
+ "[READ_DATA]",
+ "null",
+ "QUERY",
+ "User user2 (ID=10001) requests authority on object
[root.test.d1.*] with result true",
+ "select * from root.test.d1 order by time",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "user2"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10001",
+ "false",
+ "GLOBAL",
+ "[AUDIT]",
+ "null",
+ "QUERY",
+ "User user2 (ID=10001) requests authority on object
root.__audit with result false",
+ "select * from root.test.d2 order by time",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "user2"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10001",
+ "true",
+ "OBJECT",
+ "[READ_DATA]",
+ "null",
+ "QUERY",
+ "User user2 (ID=10001) requests authority on object
[root.test.d2.*] with result true",
+ "select * from root.test.d2 order by time",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "user2")),
+ // Delete timeseries data failed
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10001",
+ "false",
+ "OBJECT",
+ "[WRITE_DATA]",
+ "null",
+ "DML",
+ "User user2 (ID=10001) requests authority on object
[root.test.d1.s3] with result false",
+ "delete from root.test.d1.s3",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "user2"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10001",
+ "false",
+ "OBJECT",
+ "[WRITE_DATA]",
+ "null",
+ "DML",
+ "User user2 (ID=10001) requests authority on object
[root.test.d2.s3] with result false",
+ "delete from root.test.d2.s3",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "user2")),
+ // user2 logout, twice for both read and write connections
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10001",
+ "true",
+ "GLOBAL",
+ "null",
+ "",
+ "CONTROL",
+ "is closing",
+ "",
+ "LOGOUT",
+ "127.0.0.1",
+ "user2"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_10001",
+ "true",
+ "GLOBAL",
+ "null",
+ "",
+ "CONTROL",
+ "is closing",
+ "",
+ "LOGOUT",
+ "127.0.0.1",
+ "user2")),
+ // =============================Audit user root
final=============================
+ // root login, twice for both read and write connections
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "null",
+ "",
+ "CONTROL",
+ "IoTDB: Login status: Login successfully. User root (ID=0),
opens Session",
+ "",
+ "LOGIN",
+ "127.0.0.1",
+ "root"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "null",
+ "",
+ "CONTROL",
+ "IoTDB: Login status: Login successfully. User root (ID=0),
opens Session",
+ "",
+ "LOGIN",
+ "127.0.0.1",
+ "root")),
+ // Delete timeseries data
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "OBJECT",
+ "[WRITE_SCHEMA]",
+ "null",
+ "DDL",
+ "User root (ID=0) requests authority on object
[root.test.d1.s3] with result true",
+ "delete timeseries root.test.d1.s3",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root")),
+ // Drop timeseries
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "OBJECT",
+ "[WRITE_SCHEMA]",
+ "null",
+ "DDL",
+ "User root (ID=0) requests authority on object
[root.test.d1.*] with result true",
+ "drop timeseries root.test.d1.*",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root")),
+ // Revoke privileges
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "[SECURITY]",
+ "null",
+ "DDL",
+ "User root (ID=0) requests authority on object user1 with
result true",
+ "REVOKE READ_DATA, WRITE_DATA ON root.test.** FROM USER
user1",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "[SECURITY]",
+ "null",
+ "DDL",
+ "User root (ID=0) requests authority on object role1 with
result true",
+ "REVOKE READ ON root.test.** FROM ROLE role1",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root")),
+ // Drop user/role
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "[MANAGE_USER]",
+ "null",
+ "DDL",
+ "User root (ID=0) requests authority on object user1 with
result true",
+ "DROP USER user1",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "[MANAGE_USER]",
+ "null",
+ "DDL",
+ "User root (ID=0) requests authority on object user2 with
result true",
+ "DROP USER user2",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root"),
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "GLOBAL",
+ "[MANAGE_ROLE]",
+ "null",
+ "DDL",
+ "User root (ID=0) requests authority on object role1 with
result true",
+ "DROP ROLE role1",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root")),
+ // Delete database
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "OBJECT",
+ "[MANAGE_DATABASE]",
+ "[root.test]",
+ "DDL",
+ "User root (ID=0) requests authority on object [root.test]
with result true",
+ "DELETE DATABASE root.test",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root")),
+ // Select audit log
+ new AuditLogSet(
+ Arrays.asList(
+ "root.__audit.log.node_1.u_0",
+ "true",
+ "OBJECT",
+ "[READ_DATA]",
+ "null",
+ "QUERY",
+ "User root (ID=0) requests authority on object
[root.__audit.log.**.*] with result true",
+ "SELECT * FROM root.__audit.log.** ORDER BY TIME ALIGN BY
DEVICE",
+ "OBJECT_AUTHENTICATION",
+ "127.0.0.1",
+ "root")));
+ private static final Set<Integer> TREE_INDEX_FOR_CONTAIN =
+ Stream.of(7).collect(Collectors.toSet());
+
+ @Test
+ public void basicAuditLogTestForTreeModel() throws SQLException,
InterruptedException {
+ Connection connection =
EnvFactory.getEnv().getConnection(BaseEnv.TREE_SQL_DIALECT);
+ Statement statement = connection.createStatement();
+ for (String sql : TREE_MODEL_AUDIT_SQLS_USER_ROOT) {
+ statement.execute(sql);
+ TimeUnit.MILLISECONDS.sleep(ENSURE_AUDIT_LOG_SLEEP_IN_MS);
+ }
+ closeConnectionCompletely(connection);
+ connection =
+ EnvFactory.getEnv().getConnection("user1", "IoTDB@2025abc",
BaseEnv.TREE_SQL_DIALECT);
+ statement = connection.createStatement();
+ for (String sql : TREE_MODEL_AUDIT_SQLS_USER_USER1) {
+ statement.execute(sql);
+ TimeUnit.MILLISECONDS.sleep(ENSURE_AUDIT_LOG_SLEEP_IN_MS);
+ }
+ closeConnectionCompletely(connection);
connection =
EnvFactory.getEnv().getConnection("user2", "IoTDB@2025abc",
BaseEnv.TREE_SQL_DIALECT);
statement = connection.createStatement();
for (String sql : TREE_MODEL_AUDIT_SQLS_USER_USER2) {
try {
statement.execute(sql);
+ TimeUnit.MILLISECONDS.sleep(ENSURE_AUDIT_LOG_SLEEP_IN_MS);
} catch (SQLException e) {
// Ignore, only record audit log
}
@@ -2305,28 +2405,13 @@ public class IoTDBAuditLogBasicIT {
statement = connection.createStatement();
for (String sql : TREE_MODEL_AUDIT_SQLS_USER_ROOT_FINAL) {
statement.execute(sql);
+ TimeUnit.MILLISECONDS.sleep(ENSURE_AUDIT_LOG_SLEEP_IN_MS);
}
- int count = 0;
ResultSet resultSet =
statement.executeQuery("SELECT * FROM root.__audit.log.** ORDER BY
TIME ALIGN BY DEVICE");
- while (resultSet.next()) {
- LOGGER.info("Expected audit log: {}",
TREE_MODEL_AUDIT_FIELDS.get(count));
- List<String> actualFields = new ArrayList<>();
- for (int i = 1; i <= 11; i++) {
- actualFields.add(resultSet.getString(i + 1));
- }
- LOGGER.info("Actual audit log: {}", actualFields);
- List<String> expectedFields = TREE_MODEL_AUDIT_FIELDS.get(count);
- for (int i = 1; i <= 11; i++) {
- if (TREE_INDEX_FOR_CONTAIN.contains(i)) {
- Assert.assertTrue(resultSet.getString(i +
1).contains(expectedFields.get(i - 1)));
- continue;
- }
- Assert.assertEquals(expectedFields.get(i - 1), resultSet.getString(i +
1));
- }
-
- count++;
+ for (AuditLogSet expectedAuditLogSet : TREE_MODEL_AUDIT_FIELDS) {
+ expectedAuditLogSet.containAuditLog(resultSet, TREE_INDEX_FOR_CONTAIN,
11);
}
- Assert.assertEquals(TREE_MODEL_AUDIT_FIELDS.size(), count);
+ Assert.assertFalse(resultSet.next());
}
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
index aa999677075..4ffa2c9a5f9 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
@@ -593,7 +593,8 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
context::getUsername);
return AuthorityChecker.getTSStatus(false,
PrivilegeType.MANAGE_ROLE);
}
- recordObjectAuthenticationAuditLog(context.setResult(true),
context::getUsername);
+ recordObjectAuthenticationAuditLog(
+ context.setPrivilegeType(null).setResult(true),
context::getUsername);
statement.setUserName(context.getUsername());
return RpcUtils.SUCCESS_STATUS;
@@ -1151,8 +1152,10 @@ public class TreeAccessCheckVisitor extends
StatementVisitor<TSStatus, TreeAcces
checkedPaths,
permission);
if (!AuthorityChecker.INTERNAL_AUDIT_USER.equals(context.getUsername())) {
- // Skip internal auditor
- recordObjectAuthenticationAuditLog(context.setResult(true),
checkedPaths::toString);
+ // Internal auditor no needs audit log
+ recordObjectAuthenticationAuditLog(
+ context.setResult(result.getCode() ==
TSStatusCode.SUCCESS_STATUS.getStatusCode()),
+ checkedPaths::toString);
}
return result;
}
