Hi, Just want to make a confirmation: so we cannot grant privileges to 'root.sg.**'. It is illegal, right? ----------------------------------- Xiangdong Huang School of Software, Tsinghua University
黄向东 清华大学 软件学院 周钰坤 <zykun0...@gmail.com> 于2022年5月6日周五 19:14写道: > Hi > > Currently, the rule of iotdb's auth check is prefix match, which is > inconsistent with pattern match in DDL and DML. Therefore, we want to > refactor the rule to pattern match. > For example, an old sql, 'GRANT USER ln_write_user PRIVILEGES > INSERT_TIMESERIES on root.ln', won't work any more. The replacement is > 'GRANT USER ln_write_user PRIVILEGES INSERT_TIMESERIES on root.ln.**' > . > > Besides, we introduce the concept, sub pattern, which means a > pattern's result set contains all the elements of its sub pattern's > result set. For example, 'root.sg.d.*' is a sub pattern of > 'root.sg.*.*', while 'root.sg.**' is not a sub pattern of > 'root.sg.*.*'. > When a user is granted privilege on a pattern, the pattern used in his > DDL or DML must be a sub pattern of the previlige pattern, which > guarantees that the user won't access the timeseries exceed his > privilege scope. > > To guarantee the efficiency and performance of auth check, we will > implement the auth check after the generation of statement and before > the execution of statement. > > Hope for some suggestions. > > > Best > ---------------------------------------------------- > Yukun Zhou > School of Software, Tsinghua University > > 周钰坤 > 清华大学 软件学院 >