wallacezhou commented on issue #21615:
URL:
https://github.com/apache/shardingsphere/issues/21615#issuecomment-1285296585
after check the code , class ProxyBackendHandlerFactory method newInstance()
will be used to invoke DatabaseBackendHandlerFactory
in ProxyBackendHandlerFactory's newInstance() method, it will call method
check() in SQLCheckEngine
the check() call invoke check() mehtod in AuthorityChecker
when the param database name have value but the user has permission for the
database,
check will be failed, at last a SQLCheckException is thrown
there are to cases
1.when connect to shardingsphere proxy with a client tool, the connect sql
may contain database the connect account has no permission, the database name
is used as parameter in mehtod check() of class AuthorityChecker, cause the
client tool receive an error and the connection fails
2. connect to shardingsphere proxy with a client tool success,
but there are still cases check() method of AuthorityChecker fails
eg. execute a select query `select * from tablename` in mysql client, there
may exist extra sql that query Mysql's meta database performance_schema send to
proxy
the select sql check will pass and execute success
but the extra query of fails, as database name performance_schema is used
as parameter in check() method of AuthorityChecker, SQLCheckException throws.
unlike the connecttion case, the SQLCheckException has no visible impact
proxy get the database name get from the client sql, use it as parameter in
AuthorityChecker check() method
though the database name is correct, the check may fail and cause issue
3 ways to fix the issue now I can think
1. consider weather the check() method of SQLCheckEngine shoud throw a
SQLCheckException or not,
if no exception throws, the client can connect success
2. add a new check() mehtod that only return a boolean value and do not
throw a exception for this case
3. in method newInstance() of ProxyBackendHandlerFactory, revise the logic
of variable databaseName used for check
String databaseName =
sqlStatementContext.getTablesContext().getDatabaseName().isPresent()
?
sqlStatementContext.getTablesContext().getDatabaseName().get()
: connectionSession.getDatabaseName();
SQLCheckEngine.check(sqlStatementContext, Collections.emptyList(),
getRules(databaseName), databaseName,
ProxyContext.getInstance().getContextManager().getMetaDataContexts().getMetaData().getDatabases(),
connectionSession.getGrantee());
in proxy version 5.1, client can connect proxy success, the reason is the
databaseName parameter passed to SQLCheckEngine.check() is null, as
connectionSession.getDatabaseName() logic is different, the check logic is
skipped and check result is success
this may be not a good choice.
thing need to charify:
mysql client send extra meta database sql to proxy, eg query from
performance_schema,
and the extra sql it not visuable to user, these meta databases are not
owned by user
weather need to check these extra sql based on user configured authority?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
