Hi Currently, the rule of iotdb's auth check is prefix match, which is inconsistent with pattern match in DDL and DML. Therefore, we want to refactor the rule to pattern match. For example, an old sql, 'GRANT USER ln_write_user PRIVILEGES INSERT_TIMESERIES on root.ln', won't work any more. The replacement is 'GRANT USER ln_write_user PRIVILEGES INSERT_TIMESERIES on root.ln.**' .
Besides, we introduce the concept, sub pattern, which means a pattern's result set contains all the elements of its sub pattern's result set. For example, 'root.sg.d.*' is a sub pattern of 'root.sg.*.*', while 'root.sg.**' is not a sub pattern of 'root.sg.*.*'. When a user is granted privilege on a pattern, the pattern used in his DDL or DML must be a sub pattern of the previlige pattern, which guarantees that the user won't access the timeseries exceed his privilege scope. To guarantee the efficiency and performance of auth check, we will implement the auth check after the generation of statement and before the execution of statement. Hope for some suggestions. Best ---------------------------------------------------- Yukun Zhou School of Software, Tsinghua University 周钰坤 清华大学 软件学院
