Caideyipi commented on code in PR #13158:
URL: https://github.com/apache/iotdb/pull/13158#discussion_r1901523472
##########
iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java:
##########
@@ -387,6 +466,10 @@ private void checkCacheAvailable() {
cacheOutDate = false;
}
+ public void setAcceptCache(boolean acceptCache) {
Review Comment:
Is this used?
##########
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/Role.java:
##########
@@ -18,43 +18,62 @@
*/
package org.apache.iotdb.commons.auth.entity;
+import org.apache.iotdb.commons.exception.MetadataException;
import org.apache.iotdb.commons.path.PartialPath;
import org.apache.iotdb.commons.utils.AuthUtils;
import org.apache.iotdb.commons.utils.SerializeUtils;
+import org.apache.iotdb.commons.utils.TestOnly;
+import org.apache.iotdb.confignode.rpc.thrift.TDBPrivilege;
+import org.apache.iotdb.confignode.rpc.thrift.TPathPrivilege;
+import org.apache.iotdb.confignode.rpc.thrift.TRoleResp;
+import org.apache.iotdb.confignode.rpc.thrift.TTablePrivilege;
import java.io.ByteArrayOutputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
+import java.util.Map;
import java.util.Objects;
import java.util.Set;
-/** This class contains all information of a role. */
public class Role {
- private String name;
- private List<PathPrivilege> pathPrivilegeList;
+ protected String name;
+ protected List<PathPrivilege> pathPrivilegeList;
- private Set<Integer> sysPrivilegeSet;
+ protected Map<String, DatabasePrivilege> objectPrivilegeMap;
- private Set<Integer> sysPriGrantOpt;
+ protected Set<PrivilegeType> sysPrivilegeSet;
- private static final int SYS_PRI_SIZE = PrivilegeType.getSysPriCount();
+ protected Set<PrivilegeType> sysPriGrantOpt;
- private boolean serviceReady = true;
+ protected Set<PrivilegeType> anyScopePrivilegeSet;
+ protected Set<PrivilegeType> anyScopePrivileGrantOptSet;
Review Comment:
Privilege?
##########
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/Role.java:
##########
@@ -102,82 +254,272 @@ public void setPrivilegeList(List<PathPrivilege>
privilegeList) {
this.pathPrivilegeList = privilegeList;
}
- public void setPathPrivileges(PartialPath path, Set<Integer> privileges) {
+ public void setPathPrivileges(PartialPath path, Set<PrivilegeType>
privileges) {
for (PathPrivilege pathPrivilege : pathPrivilegeList) {
if (pathPrivilege.getPath().equals(path)) {
pathPrivilege.setPrivileges(privileges);
}
}
}
- public void addPathPrivilege(PartialPath path, int privilegeId, boolean
grantOpt) {
- AuthUtils.addPrivilege(path, privilegeId, pathPrivilegeList, grantOpt);
+ public void setObjectPrivilegeMap(Map<String, DatabasePrivilege>
privilegeMap) {
+ this.objectPrivilegeMap = privilegeMap;
}
- public void removePathPrivilege(PartialPath path, int privilegeId) {
- AuthUtils.removePrivilege(path, privilegeId, pathPrivilegeList);
+ public void grantPathPrivilege(PartialPath path, PrivilegeType priv, boolean
grantOpt) {
+ AuthUtils.addPrivilege(path, priv, pathPrivilegeList, grantOpt);
}
- public void setSysPrivilegeSet(Set<Integer> privilegeSet) {
- this.sysPrivilegeSet = privilegeSet;
+ public void revokePathPrivilege(PartialPath path, PrivilegeType priv) {
+ AuthUtils.removePrivilege(path, priv, pathPrivilegeList);
}
- public void setSysPriGrantOpt(Set<Integer> grantOpt) {
- this.sysPriGrantOpt = grantOpt;
+ public void revokePathPrivilegeGrantOption(PartialPath path, PrivilegeType
priv) {
+ AuthUtils.removePrivilege(path, priv, pathPrivilegeList);
}
- public void setSysPrivilegeSet(int privilegeMask) {
- if (sysPrivilegeSet == null) {
- sysPrivilegeSet = new HashSet<>();
- }
- if (sysPriGrantOpt == null) {
- sysPriGrantOpt = new HashSet<>();
+ public void setSysPrivilegeSet(Set<PrivilegeType> privilegeSet) {
+ this.sysPrivilegeSet = privilegeSet;
+ }
+
+ public void setSysPrivilegeSetInt(Set<Integer> privilegeSet) {
+ for (Integer priv : privilegeSet) {
+ this.sysPrivilegeSet.add(PrivilegeType.values()[priv]);
}
+ }
+
+ public void setSysPrivilegesWithMask(int privMask) {
+ final int SYS_PRI_SIZE =
PrivilegeType.getPrivilegeCount(PrivilegeModelType.SYSTEM);
for (int i = 0; i < SYS_PRI_SIZE; i++) {
- if ((privilegeMask & (1 << i)) != 0) {
+ if ((privMask & (1 << i)) != 0) {
sysPrivilegeSet.add(AuthUtils.posToSysPri(i));
+ if ((privMask & (1 << (i + 16))) != 0) {
+ sysPriGrantOpt.add(AuthUtils.posToSysPri(i));
+ }
}
- if ((privilegeMask & (1 << (i + 16))) != 0) {
- sysPriGrantOpt.add(AuthUtils.posToSysPri(i));
+ }
+ }
+
+ public void setAnyScopePrivilegeSetWithMask(int privMask) {
+ final int PRI_COUNT =
PrivilegeType.getPrivilegeCount(PrivilegeModelType.RELATIONAL);
+ for (int i = 0; i < PRI_COUNT; i++) {
+ if ((privMask & (1 << i)) != 0) {
+ anyScopePrivilegeSet.add(AuthUtils.posToObjPri(i));
+ if ((privMask & (1 << (i + 16))) != 0) {
+ anyScopePrivileGrantOptSet.add(AuthUtils.posToObjPri(i));
+ }
}
}
}
- public void addSysPrivilege(int privilegeId) {
- sysPrivilegeSet.add(privilegeId);
+ public void setSysPriGrantOpt(Set<PrivilegeType> grantOpt) {
+ this.sysPriGrantOpt = grantOpt;
+ }
+
+ public void setSysPriGrantOptInt(Set<Integer> grantOptInt) {
+ for (Integer priv : grantOptInt) {
+ this.sysPriGrantOpt.add(PrivilegeType.values()[priv]);
+ }
+ }
+
+ public void grantSysPrivilege(PrivilegeType priv, boolean grantOpt) {
+ sysPrivilegeSet.add(priv);
+ if (grantOpt) {
+ sysPriGrantOpt.add(priv);
+ }
+ }
+
+ private DatabasePrivilege getObjectPrivilegeInternal(String dbName) {
+ return objectPrivilegeMap.computeIfAbsent(dbName, DatabasePrivilege::new);
+ }
+
+ public void grantAnyScopePrivilege(PrivilegeType priv, boolean grantOpt) {
+ anyScopePrivilegeSet.add(priv);
+ if (grantOpt) {
+ anyScopePrivileGrantOptSet.add(priv);
+ }
+ }
+
+ public void revokeAnyScopePrivilege(PrivilegeType priv) {
+ anyScopePrivilegeSet.remove(priv);
+ anyScopePrivileGrantOptSet.remove(priv);
+ }
+
+ public void revokeAnyScopePrivilegeGrantOption(PrivilegeType priv) {
+ anyScopePrivileGrantOptSet.remove(priv);
+ }
+
+ public void grantDBPrivilege(String dbName, PrivilegeType priv, boolean
grantOption) {
+ DatabasePrivilege databasePrivilege = getObjectPrivilege(dbName);
+ databasePrivilege.grantDBPrivilege(priv);
+ if (grantOption) {
+ databasePrivilege.grantDBGrantOption(priv);
+ }
}
- public void removeSysPrivilege(int privilegeId) {
- sysPrivilegeSet.remove(privilegeId);
+ public void grantTBPrivilege(
+ String dbName, String tbName, PrivilegeType priv, boolean grantOption) {
+ DatabasePrivilege databasePrivilege = getObjectPrivilege(dbName);
+ databasePrivilege.grantTablePrivilege(tbName, priv);
+ if (grantOption) {
+ databasePrivilege.grantTableGrantOption(tbName, priv);
+ }
}
- public void setServiceReady(boolean ready) {
- serviceReady = ready;
+ public void revokeDBPrivilege(String dbName, PrivilegeType priv) {
+ DatabasePrivilege databasePrivilege = getObjectPrivilegeInternal(dbName);
+ databasePrivilege.revokeDBPrivilege(priv);
+ databasePrivilege.revokeDBGrantOption(priv);
+ if (databasePrivilege.getTablePrivilegeMap().isEmpty()
+ && databasePrivilege.getPrivilegeSet().isEmpty()) {
+ objectPrivilegeMap.remove(dbName);
+ }
+ }
+
+ public void revokeDBPrivilegeGrantOption(String dbName, PrivilegeType priv) {
+ if (!objectPrivilegeMap.containsKey(dbName)) {
+ return;
+ }
+ DatabasePrivilege databasePrivilege = objectPrivilegeMap.get(dbName);
+ databasePrivilege.revokeDBGrantOption(priv);
+ }
+
+ public void revokeTBPrivilege(String dbName, String tbName, PrivilegeType
priv) {
+ DatabasePrivilege databasePrivilege = getObjectPrivilegeInternal(dbName);
+ databasePrivilege.revokeTableGrantOption(tbName, priv);
Review Comment:
This may be called twice...
##########
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/Role.java:
##########
@@ -102,82 +254,272 @@ public void setPrivilegeList(List<PathPrivilege>
privilegeList) {
this.pathPrivilegeList = privilegeList;
}
- public void setPathPrivileges(PartialPath path, Set<Integer> privileges) {
+ public void setPathPrivileges(PartialPath path, Set<PrivilegeType>
privileges) {
for (PathPrivilege pathPrivilege : pathPrivilegeList) {
if (pathPrivilege.getPath().equals(path)) {
pathPrivilege.setPrivileges(privileges);
}
}
}
- public void addPathPrivilege(PartialPath path, int privilegeId, boolean
grantOpt) {
- AuthUtils.addPrivilege(path, privilegeId, pathPrivilegeList, grantOpt);
+ public void setObjectPrivilegeMap(Map<String, DatabasePrivilege>
privilegeMap) {
+ this.objectPrivilegeMap = privilegeMap;
}
- public void removePathPrivilege(PartialPath path, int privilegeId) {
- AuthUtils.removePrivilege(path, privilegeId, pathPrivilegeList);
+ public void grantPathPrivilege(PartialPath path, PrivilegeType priv, boolean
grantOpt) {
+ AuthUtils.addPrivilege(path, priv, pathPrivilegeList, grantOpt);
}
- public void setSysPrivilegeSet(Set<Integer> privilegeSet) {
- this.sysPrivilegeSet = privilegeSet;
+ public void revokePathPrivilege(PartialPath path, PrivilegeType priv) {
+ AuthUtils.removePrivilege(path, priv, pathPrivilegeList);
}
- public void setSysPriGrantOpt(Set<Integer> grantOpt) {
- this.sysPriGrantOpt = grantOpt;
+ public void revokePathPrivilegeGrantOption(PartialPath path, PrivilegeType
priv) {
+ AuthUtils.removePrivilege(path, priv, pathPrivilegeList);
}
- public void setSysPrivilegeSet(int privilegeMask) {
- if (sysPrivilegeSet == null) {
- sysPrivilegeSet = new HashSet<>();
- }
- if (sysPriGrantOpt == null) {
- sysPriGrantOpt = new HashSet<>();
+ public void setSysPrivilegeSet(Set<PrivilegeType> privilegeSet) {
+ this.sysPrivilegeSet = privilegeSet;
+ }
+
+ public void setSysPrivilegeSetInt(Set<Integer> privilegeSet) {
+ for (Integer priv : privilegeSet) {
+ this.sysPrivilegeSet.add(PrivilegeType.values()[priv]);
}
+ }
+
+ public void setSysPrivilegesWithMask(int privMask) {
+ final int SYS_PRI_SIZE =
PrivilegeType.getPrivilegeCount(PrivilegeModelType.SYSTEM);
for (int i = 0; i < SYS_PRI_SIZE; i++) {
- if ((privilegeMask & (1 << i)) != 0) {
+ if ((privMask & (1 << i)) != 0) {
sysPrivilegeSet.add(AuthUtils.posToSysPri(i));
+ if ((privMask & (1 << (i + 16))) != 0) {
+ sysPriGrantOpt.add(AuthUtils.posToSysPri(i));
+ }
}
- if ((privilegeMask & (1 << (i + 16))) != 0) {
- sysPriGrantOpt.add(AuthUtils.posToSysPri(i));
+ }
+ }
+
+ public void setAnyScopePrivilegeSetWithMask(int privMask) {
+ final int PRI_COUNT =
PrivilegeType.getPrivilegeCount(PrivilegeModelType.RELATIONAL);
+ for (int i = 0; i < PRI_COUNT; i++) {
+ if ((privMask & (1 << i)) != 0) {
+ anyScopePrivilegeSet.add(AuthUtils.posToObjPri(i));
+ if ((privMask & (1 << (i + 16))) != 0) {
+ anyScopePrivileGrantOptSet.add(AuthUtils.posToObjPri(i));
+ }
}
}
}
- public void addSysPrivilege(int privilegeId) {
- sysPrivilegeSet.add(privilegeId);
+ public void setSysPriGrantOpt(Set<PrivilegeType> grantOpt) {
+ this.sysPriGrantOpt = grantOpt;
+ }
+
+ public void setSysPriGrantOptInt(Set<Integer> grantOptInt) {
+ for (Integer priv : grantOptInt) {
+ this.sysPriGrantOpt.add(PrivilegeType.values()[priv]);
+ }
+ }
+
+ public void grantSysPrivilege(PrivilegeType priv, boolean grantOpt) {
+ sysPrivilegeSet.add(priv);
+ if (grantOpt) {
+ sysPriGrantOpt.add(priv);
+ }
+ }
+
+ private DatabasePrivilege getObjectPrivilegeInternal(String dbName) {
+ return objectPrivilegeMap.computeIfAbsent(dbName, DatabasePrivilege::new);
+ }
+
+ public void grantAnyScopePrivilege(PrivilegeType priv, boolean grantOpt) {
+ anyScopePrivilegeSet.add(priv);
+ if (grantOpt) {
+ anyScopePrivileGrantOptSet.add(priv);
+ }
+ }
+
+ public void revokeAnyScopePrivilege(PrivilegeType priv) {
+ anyScopePrivilegeSet.remove(priv);
+ anyScopePrivileGrantOptSet.remove(priv);
+ }
+
+ public void revokeAnyScopePrivilegeGrantOption(PrivilegeType priv) {
+ anyScopePrivileGrantOptSet.remove(priv);
+ }
+
+ public void grantDBPrivilege(String dbName, PrivilegeType priv, boolean
grantOption) {
+ DatabasePrivilege databasePrivilege = getObjectPrivilege(dbName);
+ databasePrivilege.grantDBPrivilege(priv);
+ if (grantOption) {
+ databasePrivilege.grantDBGrantOption(priv);
+ }
}
- public void removeSysPrivilege(int privilegeId) {
- sysPrivilegeSet.remove(privilegeId);
+ public void grantTBPrivilege(
+ String dbName, String tbName, PrivilegeType priv, boolean grantOption) {
+ DatabasePrivilege databasePrivilege = getObjectPrivilege(dbName);
+ databasePrivilege.grantTablePrivilege(tbName, priv);
+ if (grantOption) {
+ databasePrivilege.grantTableGrantOption(tbName, priv);
+ }
}
- public void setServiceReady(boolean ready) {
- serviceReady = ready;
+ public void revokeDBPrivilege(String dbName, PrivilegeType priv) {
+ DatabasePrivilege databasePrivilege = getObjectPrivilegeInternal(dbName);
Review Comment:
What's the difference between "internal" and not "internal"... Besides
"private"
##########
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/Role.java:
##########
@@ -193,33 +535,43 @@ public boolean equals(Object o) {
return Objects.equals(name, role.name)
&& Objects.equals(pathPrivilegeList, role.pathPrivilegeList)
&& Objects.equals(sysPrivilegeSet, role.sysPrivilegeSet)
- && Objects.equals(sysPriGrantOpt, role.sysPriGrantOpt);
+ && Objects.equals(sysPriGrantOpt, role.sysPriGrantOpt)
+ && Objects.equals(objectPrivilegeMap, role.objectPrivilegeMap);
Review Comment:
AnyScope?
##########
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/role/LocalFileRoleAccessor.java:
##########
@@ -73,67 +76,126 @@
* All user/role file store in config node's user/role folder. when our system
start, we load all
* user/role from folder. If we did some alter query, we just store raft log.
*/
-public class LocalFileRoleAccessor implements IRoleAccessor {
+public class LocalFileRoleAccessor implements IEntryAccessor {
private static final Logger LOGGER =
LoggerFactory.getLogger(LocalFileRoleAccessor.class);
- private static final String TEMP_SUFFIX = ".temp";
- private static final String STRING_ENCODING = "utf-8";
- private static final String ROLE_SNAPSHOT_FILE_NAME = "system" +
File.separator + "roles";
+ protected static final String TEMP_SUFFIX = ".temp";
+ protected static final String STRING_ENCODING = "utf-8";
+ protected final String entryDirPath;
- private final String roleDirPath;
+ // It might be a good idea to use a Version number to control upgrade
compatibility.
+ // Now it's version 1
+ protected static final int VERSION = 1;
/**
* Reused buffer for primitive types encoding/decoding, which aim to reduce
memory fragments. Use
* ThreadLocal for thread safety.
*/
- private final ThreadLocal<ByteBuffer> encodingBufferLocal = new
ThreadLocal<>();
+ protected final ThreadLocal<ByteBuffer> encodingBufferLocal = new
ThreadLocal<>();
- private final ThreadLocal<byte[]> strBufferLocal = new ThreadLocal<>();
+ protected final ThreadLocal<byte[]> strBufferLocal = new ThreadLocal<>();
public LocalFileRoleAccessor(String roleDirPath) {
- this.roleDirPath = roleDirPath;
+ this.entryDirPath = roleDirPath;
}
- /**
- * @return role struct
- * @throws IOException
- */
- @Override
- public Role loadRole(String rolename) throws IOException {
- File roleProfile =
+ protected String getEntrySnapshotFileName() {
+ return "system" + File.separator + "roles";
+ }
+
+ protected void saveEntryVersion(BufferedOutputStream outputStream) throws
IOException {
+ IOUtils.writeInt(outputStream, VERSION, encodingBufferLocal);
+ }
+
+ protected void saveEntryName(BufferedOutputStream outputStream, Role role)
throws IOException {
+ IOUtils.writeString(outputStream, role.getName(), STRING_ENCODING,
encodingBufferLocal);
+ }
+
+ protected void savePrivileges(BufferedOutputStream outputStream, Role role)
throws IOException {
+ IOUtils.writeInt(outputStream, role.getAllSysPrivileges(),
encodingBufferLocal);
+ int privilegeNum = role.getPathPrivilegeList().size();
+ IOUtils.writeInt(outputStream, privilegeNum, encodingBufferLocal);
+ for (int i = 0; i < privilegeNum; i++) {
+ PathPrivilege pathPrivilege = role.getPathPrivilegeList().get(i);
+ IOUtils.writePathPrivilege(outputStream, pathPrivilege, STRING_ENCODING,
encodingBufferLocal);
+ }
+ IOUtils.writeInt(outputStream, role.getAnyScopePrivileges(),
encodingBufferLocal);
+ privilegeNum = role.getObjectPrivilegeMap().size();
+ IOUtils.writeInt(outputStream, privilegeNum, encodingBufferLocal);
+ for (Map.Entry<String, DatabasePrivilege> objectPrivilegeMap :
+ role.getObjectPrivilegeMap().entrySet()) {
+ IOUtils.writeObjectPrivilege(
+ outputStream, objectPrivilegeMap.getValue(), STRING_ENCODING,
encodingBufferLocal);
+ }
+ }
+
+ protected void loadPrivileges(DataInputStream dataInputStream, Role role)
+ throws IOException, IllegalPathException {
+ int num = ReadWriteIOUtils.readInt(dataInputStream);
+ List<PathPrivilege> pathPrivilegeList = new ArrayList<>();
+ for (int i = 0; i < num; i++) {
+ pathPrivilegeList.add(
+ IOUtils.readPathPrivilege(dataInputStream, STRING_ENCODING,
strBufferLocal));
+ }
+ role.setPrivilegeList(pathPrivilegeList);
+
role.setAnyScopePrivilegeSetWithMask(ReadWriteIOUtils.readInt(dataInputStream));
+ Map<String, DatabasePrivilege> objectPrivilegeMap = new HashMap<>();
+ num = ReadWriteIOUtils.readInt(dataInputStream);
+ for (int i = 0; i < num; i++) {
+ DatabasePrivilege databasePrivilege =
+ IOUtils.readRelationalPrivilege(dataInputStream, STRING_ENCODING,
strBufferLocal);
+ objectPrivilegeMap.put(databasePrivilege.getDatabaseName(),
databasePrivilege);
+ }
+ role.setObjectPrivilegeMap(objectPrivilegeMap);
+ }
+
+ protected void saveRoles(Role role) throws IOException {
+ // Just used in LocalFileUserAccessor.java.
+ // Do nothing.
+ }
+
+ protected File checkFileAvailable(String entryName, String suffix) {
+ File userProfile =
SystemFileFactory.INSTANCE.getFile(
- roleDirPath + File.separator + rolename +
IoTDBConstant.PROFILE_SUFFIX);
- if (!roleProfile.exists() || !roleProfile.isFile()) {
- // System may crush before a newer file is written, so search for
back-up file.
- File backProfile =
+ entryDirPath + File.separator + entryName + suffix +
IoTDBConstant.PROFILE_SUFFIX);
+ if (!userProfile.exists() || !userProfile.isFile()) {
+ // System may crush before a newer file is renamed.
+ File newProfile =
SystemFileFactory.INSTANCE.getFile(
- roleDirPath + File.separator + rolename +
IoTDBConstant.PROFILE_SUFFIX + TEMP_SUFFIX);
- if (backProfile.exists() && backProfile.isFile()) {
- roleProfile = backProfile;
+ entryDirPath
+ + File.separator
+ + entryName
+ + suffix
+ + IoTDBConstant.PROFILE_SUFFIX
+ + TEMP_SUFFIX);
+ if (newProfile.exists() && newProfile.isFile()) {
+ if (!newProfile.renameTo(userProfile)) {
+ LOGGER.error("New profile renaming not succeed.");
+ }
+ userProfile = newProfile;
} else {
return null;
}
}
- FileInputStream inputStream = new FileInputStream(roleProfile);
+ return userProfile;
+ }
+
+ @Override
+ public Role loadEntry(String entryName) throws IOException {
+ File entryFile = checkFileAvailable(entryName, "");
+ if (entryFile == null) {
+ return null;
+ }
+
+ FileInputStream inputStream = new FileInputStream(entryFile);
try (DataInputStream dataInputStream =
new DataInputStream(new BufferedInputStream(inputStream))) {
- Role role = new Role();
- Pair<String, Boolean> result =
- IOUtils.readAuthString(dataInputStream, STRING_ENCODING,
strBufferLocal);
- role.setName(result.getLeft());
- boolean oldVersion = result.getRight();
- if (oldVersion) {
- IOUtils.loadRolePrivilege(role, dataInputStream, STRING_ENCODING,
strBufferLocal);
- return role;
- } else {
- role.setSysPrivilegeSet(dataInputStream.readInt());
- List<PathPrivilege> pathPrivilegeList = new ArrayList<>();
- for (int i = 0; dataInputStream.available() != 0; i++) {
- pathPrivilegeList.add(
- IOUtils.readPathPrivilege(dataInputStream, STRING_ENCODING,
strBufferLocal, false));
- }
- role.setPrivilegeList(pathPrivilegeList);
- return role;
- }
+ int version = dataInputStream.readInt();
+ assert version == VERSION;
Review Comment:
Should guarantee the compatibility here...
##########
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/Role.java:
##########
@@ -66,31 +85,164 @@ public List<PathPrivilege> getPathPrivilegeList() {
return pathPrivilegeList;
}
- public Set<Integer> getSysPrivilege() {
+ public Set<PrivilegeType> getSysPrivilege() {
return sysPrivilegeSet;
}
- public Set<Integer> getPathPrivileges(PartialPath path) {
+ private Set<Integer> getPrivilegeIntSet(Set<PrivilegeType> privs) {
+ Set<Integer> res = new HashSet<>();
+ for (PrivilegeType priv : privs) {
+ res.add(priv.ordinal());
+ }
+ return res;
+ }
+
+ public Set<PrivilegeType> getPathPrivileges(PartialPath path) {
return AuthUtils.getPrivileges(path, pathPrivilegeList);
}
- public Set<Integer> getSysPriGrantOpt() {
+ public Set<PrivilegeType> getSysPriGrantOpt() {
return sysPriGrantOpt;
}
- public int getAllSysPrivileges() {
- int privs = 0;
- for (Integer sysPri : sysPrivilegeSet) {
- privs |= 1 << AuthUtils.sysPriTopos(sysPri);
+ public Set<PrivilegeType> getAnyScopePrivilegeGrantOpt() {
+ return anyScopePrivileGrantOptSet;
+ }
+
+ public Set<PrivilegeType> getAnyScopePrivilegeSet() {
+ return anyScopePrivilegeSet;
+ }
+
+ public Map<String, DatabasePrivilege> getObjectPrivilegeMap() {
+ return objectPrivilegeMap;
+ }
+
+ public DatabasePrivilege getObjectPrivilege(String objectName) {
Review Comment:
This method is dangerous... Currently it's only used in "grant" thus it is
OK. However, if someone wants to only get the database privilege from outside,
there will be an empty database privilege, then the database may be able to be
shown.
##########
iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java:
##########
@@ -88,4 +94,184 @@ public void checkCanShowOrDescTable(String userName,
QualifiedObjectName tableNa
public void checkUserHasMaintainPrivilege(String userName) {
authChecker.checkGlobalPrivilege(userName, TableModelPrivilege.MAINTAIN);
}
+
+ @Override
+ public void checkUserCanRunAuthorStatement(String userName,
RelationalAuthorStatement statement) {
Review Comment:
Can we reuse the AuthorType and checking logic of the (tree)
AuthorStatement? They look the same....
##########
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/Role.java:
##########
@@ -102,82 +254,272 @@ public void setPrivilegeList(List<PathPrivilege>
privilegeList) {
this.pathPrivilegeList = privilegeList;
}
- public void setPathPrivileges(PartialPath path, Set<Integer> privileges) {
+ public void setPathPrivileges(PartialPath path, Set<PrivilegeType>
privileges) {
for (PathPrivilege pathPrivilege : pathPrivilegeList) {
if (pathPrivilege.getPath().equals(path)) {
pathPrivilege.setPrivileges(privileges);
}
}
}
- public void addPathPrivilege(PartialPath path, int privilegeId, boolean
grantOpt) {
- AuthUtils.addPrivilege(path, privilegeId, pathPrivilegeList, grantOpt);
+ public void setObjectPrivilegeMap(Map<String, DatabasePrivilege>
privilegeMap) {
+ this.objectPrivilegeMap = privilegeMap;
}
- public void removePathPrivilege(PartialPath path, int privilegeId) {
- AuthUtils.removePrivilege(path, privilegeId, pathPrivilegeList);
+ public void grantPathPrivilege(PartialPath path, PrivilegeType priv, boolean
grantOpt) {
+ AuthUtils.addPrivilege(path, priv, pathPrivilegeList, grantOpt);
}
- public void setSysPrivilegeSet(Set<Integer> privilegeSet) {
- this.sysPrivilegeSet = privilegeSet;
+ public void revokePathPrivilege(PartialPath path, PrivilegeType priv) {
+ AuthUtils.removePrivilege(path, priv, pathPrivilegeList);
}
- public void setSysPriGrantOpt(Set<Integer> grantOpt) {
- this.sysPriGrantOpt = grantOpt;
+ public void revokePathPrivilegeGrantOption(PartialPath path, PrivilegeType
priv) {
+ AuthUtils.removePrivilege(path, priv, pathPrivilegeList);
}
- public void setSysPrivilegeSet(int privilegeMask) {
- if (sysPrivilegeSet == null) {
- sysPrivilegeSet = new HashSet<>();
- }
- if (sysPriGrantOpt == null) {
- sysPriGrantOpt = new HashSet<>();
+ public void setSysPrivilegeSet(Set<PrivilegeType> privilegeSet) {
+ this.sysPrivilegeSet = privilegeSet;
+ }
+
+ public void setSysPrivilegeSetInt(Set<Integer> privilegeSet) {
+ for (Integer priv : privilegeSet) {
+ this.sysPrivilegeSet.add(PrivilegeType.values()[priv]);
}
+ }
+
+ public void setSysPrivilegesWithMask(int privMask) {
+ final int SYS_PRI_SIZE =
PrivilegeType.getPrivilegeCount(PrivilegeModelType.SYSTEM);
for (int i = 0; i < SYS_PRI_SIZE; i++) {
- if ((privilegeMask & (1 << i)) != 0) {
+ if ((privMask & (1 << i)) != 0) {
sysPrivilegeSet.add(AuthUtils.posToSysPri(i));
+ if ((privMask & (1 << (i + 16))) != 0) {
+ sysPriGrantOpt.add(AuthUtils.posToSysPri(i));
+ }
}
- if ((privilegeMask & (1 << (i + 16))) != 0) {
- sysPriGrantOpt.add(AuthUtils.posToSysPri(i));
+ }
+ }
+
+ public void setAnyScopePrivilegeSetWithMask(int privMask) {
+ final int PRI_COUNT =
PrivilegeType.getPrivilegeCount(PrivilegeModelType.RELATIONAL);
+ for (int i = 0; i < PRI_COUNT; i++) {
+ if ((privMask & (1 << i)) != 0) {
+ anyScopePrivilegeSet.add(AuthUtils.posToObjPri(i));
+ if ((privMask & (1 << (i + 16))) != 0) {
+ anyScopePrivileGrantOptSet.add(AuthUtils.posToObjPri(i));
+ }
}
}
}
- public void addSysPrivilege(int privilegeId) {
- sysPrivilegeSet.add(privilegeId);
+ public void setSysPriGrantOpt(Set<PrivilegeType> grantOpt) {
+ this.sysPriGrantOpt = grantOpt;
+ }
+
+ public void setSysPriGrantOptInt(Set<Integer> grantOptInt) {
+ for (Integer priv : grantOptInt) {
+ this.sysPriGrantOpt.add(PrivilegeType.values()[priv]);
+ }
+ }
+
+ public void grantSysPrivilege(PrivilegeType priv, boolean grantOpt) {
+ sysPrivilegeSet.add(priv);
+ if (grantOpt) {
+ sysPriGrantOpt.add(priv);
+ }
+ }
+
+ private DatabasePrivilege getObjectPrivilegeInternal(String dbName) {
+ return objectPrivilegeMap.computeIfAbsent(dbName, DatabasePrivilege::new);
+ }
+
+ public void grantAnyScopePrivilege(PrivilegeType priv, boolean grantOpt) {
+ anyScopePrivilegeSet.add(priv);
+ if (grantOpt) {
+ anyScopePrivileGrantOptSet.add(priv);
+ }
+ }
+
+ public void revokeAnyScopePrivilege(PrivilegeType priv) {
+ anyScopePrivilegeSet.remove(priv);
+ anyScopePrivileGrantOptSet.remove(priv);
+ }
+
+ public void revokeAnyScopePrivilegeGrantOption(PrivilegeType priv) {
+ anyScopePrivileGrantOptSet.remove(priv);
+ }
+
+ public void grantDBPrivilege(String dbName, PrivilegeType priv, boolean
grantOption) {
+ DatabasePrivilege databasePrivilege = getObjectPrivilege(dbName);
+ databasePrivilege.grantDBPrivilege(priv);
+ if (grantOption) {
+ databasePrivilege.grantDBGrantOption(priv);
+ }
}
- public void removeSysPrivilege(int privilegeId) {
- sysPrivilegeSet.remove(privilegeId);
+ public void grantTBPrivilege(
+ String dbName, String tbName, PrivilegeType priv, boolean grantOption) {
+ DatabasePrivilege databasePrivilege = getObjectPrivilege(dbName);
+ databasePrivilege.grantTablePrivilege(tbName, priv);
+ if (grantOption) {
+ databasePrivilege.grantTableGrantOption(tbName, priv);
+ }
}
- public void setServiceReady(boolean ready) {
- serviceReady = ready;
+ public void revokeDBPrivilege(String dbName, PrivilegeType priv) {
+ DatabasePrivilege databasePrivilege = getObjectPrivilegeInternal(dbName);
+ databasePrivilege.revokeDBPrivilege(priv);
+ databasePrivilege.revokeDBGrantOption(priv);
+ if (databasePrivilege.getTablePrivilegeMap().isEmpty()
+ && databasePrivilege.getPrivilegeSet().isEmpty()) {
+ objectPrivilegeMap.remove(dbName);
+ }
+ }
+
+ public void revokeDBPrivilegeGrantOption(String dbName, PrivilegeType priv) {
+ if (!objectPrivilegeMap.containsKey(dbName)) {
+ return;
+ }
+ DatabasePrivilege databasePrivilege = objectPrivilegeMap.get(dbName);
+ databasePrivilege.revokeDBGrantOption(priv);
+ }
+
+ public void revokeTBPrivilege(String dbName, String tbName, PrivilegeType
priv) {
+ DatabasePrivilege databasePrivilege = getObjectPrivilegeInternal(dbName);
+ databasePrivilege.revokeTableGrantOption(tbName, priv);
+ databasePrivilege.revokeTablePrivilege(tbName, priv);
+ if (databasePrivilege.getTablePrivilegeMap().isEmpty()
+ && databasePrivilege.getPrivilegeSet().isEmpty()) {
+ this.objectPrivilegeMap.remove(dbName);
+ }
+ }
+
+ public void revokeTBPrivilegeGrantOption(String dbName, String tbName,
PrivilegeType priv) {
+ if (!objectPrivilegeMap.containsKey(dbName)) {
+ return;
+ }
+ DatabasePrivilege databasePrivilege = objectPrivilegeMap.get(dbName);
+ if (!databasePrivilege.getTablePrivilegeMap().containsKey(tbName)) {
+ return;
+ }
+ TablePrivilege tablePrivilege =
databasePrivilege.getTablePrivilegeMap().get(tbName);
+ tablePrivilege.revokeGrantOption(priv);
+ }
+
+ public void grantSysPrivilegeGrantOption(PrivilegeType priv) {
+ sysPriGrantOpt.add(priv);
+ }
+
+ public void revokeSysPrivilege(PrivilegeType priv) {
+ sysPrivilegeSet.remove(priv);
}
/** ------------ check func ---------------* */
- public boolean hasPrivilegeToRevoke(PartialPath path, int privilegeId) {
- if (path == null) {
- return sysPrivilegeSet.contains(privilegeId);
- } else {
- return AuthUtils.hasPrivilegeToReovke(path, privilegeId,
pathPrivilegeList);
+ public boolean hasPrivilegeToRevoke(PartialPath path, PrivilegeType priv) {
+ return AuthUtils.hasPrivilegeToRevoke(path, priv, pathPrivilegeList);
+ }
+
+ public boolean hasPrivilegeToRevoke(PrivilegeType priv) {
+ return this.sysPrivilegeSet.contains(priv);
+ }
+
+ public boolean hasPrivilegeToRevoke(String dbname, PrivilegeType priv) {
+ return this.objectPrivilegeMap.containsKey(dbname)
+ && this.objectPrivilegeMap.get(dbname).checkDBPrivilege(priv);
+ }
+
+ public boolean hasPrivilegeToRevoke(String dbname, String tbName,
PrivilegeType priv) {
+ return this.objectPrivilegeMap.containsKey(dbname)
+ && this.objectPrivilegeMap.get(dbname).checkTablePrivilege(tbName,
priv);
+ }
+
+ public boolean checkAnyScopePrivilege(PrivilegeType priv) {
+ return anyScopePrivilegeSet.contains(priv);
+ }
+
+ public boolean checkDatabasePrivilege(String dbname, PrivilegeType priv) {
+ return checkAnyScopePrivilege(priv)
+ || (this.objectPrivilegeMap.containsKey(dbname)
+ && this.objectPrivilegeMap.get(dbname).checkDBPrivilege(priv));
+ }
+
+ public boolean checkTablePrivilege(String dbname, String table,
PrivilegeType priv) {
+ return checkAnyScopePrivilege(priv)
+ || (this.objectPrivilegeMap.containsKey(dbname)
+ && (this.objectPrivilegeMap.get(dbname).checkDBPrivilege(priv)
+ ||
this.objectPrivilegeMap.get(dbname).checkTablePrivilege(table, priv)));
+ }
+
+ public boolean checkDatabasePrivilegeGrantOption(String dbname,
PrivilegeType priv) {
+ if (checkAnyScopePrivilegeGrantOption(priv)) {
+ return true;
}
+ return this.objectPrivilegeMap.containsKey(dbname)
+ && this.objectPrivilegeMap.get(dbname).checkDBGrantOption(priv);
}
- public boolean checkPathPrivilege(PartialPath path, int privilegeId) {
- return AuthUtils.checkPathPrivilege(path, privilegeId, pathPrivilegeList);
+ public boolean checkTablePrivilegeGrantOption(String dbname, String table,
PrivilegeType priv) {
+ if (checkAnyScopePrivilegeGrantOption(priv)) {
Review Comment:
This may be called twice..
##########
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/Role.java:
##########
@@ -102,82 +254,272 @@ public void setPrivilegeList(List<PathPrivilege>
privilegeList) {
this.pathPrivilegeList = privilegeList;
}
- public void setPathPrivileges(PartialPath path, Set<Integer> privileges) {
+ public void setPathPrivileges(PartialPath path, Set<PrivilegeType>
privileges) {
for (PathPrivilege pathPrivilege : pathPrivilegeList) {
if (pathPrivilege.getPath().equals(path)) {
pathPrivilege.setPrivileges(privileges);
}
}
}
- public void addPathPrivilege(PartialPath path, int privilegeId, boolean
grantOpt) {
- AuthUtils.addPrivilege(path, privilegeId, pathPrivilegeList, grantOpt);
+ public void setObjectPrivilegeMap(Map<String, DatabasePrivilege>
privilegeMap) {
+ this.objectPrivilegeMap = privilegeMap;
}
- public void removePathPrivilege(PartialPath path, int privilegeId) {
- AuthUtils.removePrivilege(path, privilegeId, pathPrivilegeList);
+ public void grantPathPrivilege(PartialPath path, PrivilegeType priv, boolean
grantOpt) {
+ AuthUtils.addPrivilege(path, priv, pathPrivilegeList, grantOpt);
}
- public void setSysPrivilegeSet(Set<Integer> privilegeSet) {
- this.sysPrivilegeSet = privilegeSet;
+ public void revokePathPrivilege(PartialPath path, PrivilegeType priv) {
+ AuthUtils.removePrivilege(path, priv, pathPrivilegeList);
}
- public void setSysPriGrantOpt(Set<Integer> grantOpt) {
- this.sysPriGrantOpt = grantOpt;
+ public void revokePathPrivilegeGrantOption(PartialPath path, PrivilegeType
priv) {
+ AuthUtils.removePrivilege(path, priv, pathPrivilegeList);
}
- public void setSysPrivilegeSet(int privilegeMask) {
- if (sysPrivilegeSet == null) {
- sysPrivilegeSet = new HashSet<>();
- }
- if (sysPriGrantOpt == null) {
- sysPriGrantOpt = new HashSet<>();
+ public void setSysPrivilegeSet(Set<PrivilegeType> privilegeSet) {
+ this.sysPrivilegeSet = privilegeSet;
+ }
+
+ public void setSysPrivilegeSetInt(Set<Integer> privilegeSet) {
+ for (Integer priv : privilegeSet) {
+ this.sysPrivilegeSet.add(PrivilegeType.values()[priv]);
}
+ }
+
+ public void setSysPrivilegesWithMask(int privMask) {
+ final int SYS_PRI_SIZE =
PrivilegeType.getPrivilegeCount(PrivilegeModelType.SYSTEM);
for (int i = 0; i < SYS_PRI_SIZE; i++) {
- if ((privilegeMask & (1 << i)) != 0) {
+ if ((privMask & (1 << i)) != 0) {
sysPrivilegeSet.add(AuthUtils.posToSysPri(i));
+ if ((privMask & (1 << (i + 16))) != 0) {
+ sysPriGrantOpt.add(AuthUtils.posToSysPri(i));
+ }
}
- if ((privilegeMask & (1 << (i + 16))) != 0) {
- sysPriGrantOpt.add(AuthUtils.posToSysPri(i));
+ }
+ }
+
+ public void setAnyScopePrivilegeSetWithMask(int privMask) {
+ final int PRI_COUNT =
PrivilegeType.getPrivilegeCount(PrivilegeModelType.RELATIONAL);
+ for (int i = 0; i < PRI_COUNT; i++) {
+ if ((privMask & (1 << i)) != 0) {
+ anyScopePrivilegeSet.add(AuthUtils.posToObjPri(i));
+ if ((privMask & (1 << (i + 16))) != 0) {
+ anyScopePrivileGrantOptSet.add(AuthUtils.posToObjPri(i));
+ }
}
}
}
- public void addSysPrivilege(int privilegeId) {
- sysPrivilegeSet.add(privilegeId);
+ public void setSysPriGrantOpt(Set<PrivilegeType> grantOpt) {
+ this.sysPriGrantOpt = grantOpt;
+ }
+
+ public void setSysPriGrantOptInt(Set<Integer> grantOptInt) {
+ for (Integer priv : grantOptInt) {
+ this.sysPriGrantOpt.add(PrivilegeType.values()[priv]);
+ }
+ }
+
+ public void grantSysPrivilege(PrivilegeType priv, boolean grantOpt) {
+ sysPrivilegeSet.add(priv);
+ if (grantOpt) {
+ sysPriGrantOpt.add(priv);
+ }
+ }
+
+ private DatabasePrivilege getObjectPrivilegeInternal(String dbName) {
+ return objectPrivilegeMap.computeIfAbsent(dbName, DatabasePrivilege::new);
+ }
+
+ public void grantAnyScopePrivilege(PrivilegeType priv, boolean grantOpt) {
+ anyScopePrivilegeSet.add(priv);
+ if (grantOpt) {
+ anyScopePrivileGrantOptSet.add(priv);
+ }
+ }
+
+ public void revokeAnyScopePrivilege(PrivilegeType priv) {
+ anyScopePrivilegeSet.remove(priv);
+ anyScopePrivileGrantOptSet.remove(priv);
+ }
+
+ public void revokeAnyScopePrivilegeGrantOption(PrivilegeType priv) {
+ anyScopePrivileGrantOptSet.remove(priv);
+ }
+
+ public void grantDBPrivilege(String dbName, PrivilegeType priv, boolean
grantOption) {
+ DatabasePrivilege databasePrivilege = getObjectPrivilege(dbName);
+ databasePrivilege.grantDBPrivilege(priv);
+ if (grantOption) {
+ databasePrivilege.grantDBGrantOption(priv);
+ }
}
- public void removeSysPrivilege(int privilegeId) {
- sysPrivilegeSet.remove(privilegeId);
+ public void grantTBPrivilege(
+ String dbName, String tbName, PrivilegeType priv, boolean grantOption) {
+ DatabasePrivilege databasePrivilege = getObjectPrivilege(dbName);
+ databasePrivilege.grantTablePrivilege(tbName, priv);
+ if (grantOption) {
+ databasePrivilege.grantTableGrantOption(tbName, priv);
+ }
}
- public void setServiceReady(boolean ready) {
- serviceReady = ready;
+ public void revokeDBPrivilege(String dbName, PrivilegeType priv) {
+ DatabasePrivilege databasePrivilege = getObjectPrivilegeInternal(dbName);
+ databasePrivilege.revokeDBPrivilege(priv);
+ databasePrivilege.revokeDBGrantOption(priv);
Review Comment:
This may be called twice..
##########
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/Role.java:
##########
@@ -102,82 +254,272 @@ public void setPrivilegeList(List<PathPrivilege>
privilegeList) {
this.pathPrivilegeList = privilegeList;
}
- public void setPathPrivileges(PartialPath path, Set<Integer> privileges) {
+ public void setPathPrivileges(PartialPath path, Set<PrivilegeType>
privileges) {
for (PathPrivilege pathPrivilege : pathPrivilegeList) {
if (pathPrivilege.getPath().equals(path)) {
pathPrivilege.setPrivileges(privileges);
}
}
}
- public void addPathPrivilege(PartialPath path, int privilegeId, boolean
grantOpt) {
- AuthUtils.addPrivilege(path, privilegeId, pathPrivilegeList, grantOpt);
+ public void setObjectPrivilegeMap(Map<String, DatabasePrivilege>
privilegeMap) {
+ this.objectPrivilegeMap = privilegeMap;
}
- public void removePathPrivilege(PartialPath path, int privilegeId) {
- AuthUtils.removePrivilege(path, privilegeId, pathPrivilegeList);
+ public void grantPathPrivilege(PartialPath path, PrivilegeType priv, boolean
grantOpt) {
+ AuthUtils.addPrivilege(path, priv, pathPrivilegeList, grantOpt);
}
- public void setSysPrivilegeSet(Set<Integer> privilegeSet) {
- this.sysPrivilegeSet = privilegeSet;
+ public void revokePathPrivilege(PartialPath path, PrivilegeType priv) {
+ AuthUtils.removePrivilege(path, priv, pathPrivilegeList);
}
- public void setSysPriGrantOpt(Set<Integer> grantOpt) {
- this.sysPriGrantOpt = grantOpt;
+ public void revokePathPrivilegeGrantOption(PartialPath path, PrivilegeType
priv) {
+ AuthUtils.removePrivilege(path, priv, pathPrivilegeList);
Review Comment:
removePrivilegeGrantOption?
##########
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/Role.java:
##########
@@ -102,82 +254,272 @@ public void setPrivilegeList(List<PathPrivilege>
privilegeList) {
this.pathPrivilegeList = privilegeList;
}
- public void setPathPrivileges(PartialPath path, Set<Integer> privileges) {
+ public void setPathPrivileges(PartialPath path, Set<PrivilegeType>
privileges) {
for (PathPrivilege pathPrivilege : pathPrivilegeList) {
if (pathPrivilege.getPath().equals(path)) {
pathPrivilege.setPrivileges(privileges);
}
}
}
- public void addPathPrivilege(PartialPath path, int privilegeId, boolean
grantOpt) {
- AuthUtils.addPrivilege(path, privilegeId, pathPrivilegeList, grantOpt);
+ public void setObjectPrivilegeMap(Map<String, DatabasePrivilege>
privilegeMap) {
+ this.objectPrivilegeMap = privilegeMap;
}
- public void removePathPrivilege(PartialPath path, int privilegeId) {
- AuthUtils.removePrivilege(path, privilegeId, pathPrivilegeList);
+ public void grantPathPrivilege(PartialPath path, PrivilegeType priv, boolean
grantOpt) {
+ AuthUtils.addPrivilege(path, priv, pathPrivilegeList, grantOpt);
}
- public void setSysPrivilegeSet(Set<Integer> privilegeSet) {
- this.sysPrivilegeSet = privilegeSet;
+ public void revokePathPrivilege(PartialPath path, PrivilegeType priv) {
+ AuthUtils.removePrivilege(path, priv, pathPrivilegeList);
}
- public void setSysPriGrantOpt(Set<Integer> grantOpt) {
- this.sysPriGrantOpt = grantOpt;
+ public void revokePathPrivilegeGrantOption(PartialPath path, PrivilegeType
priv) {
+ AuthUtils.removePrivilege(path, priv, pathPrivilegeList);
}
- public void setSysPrivilegeSet(int privilegeMask) {
- if (sysPrivilegeSet == null) {
- sysPrivilegeSet = new HashSet<>();
- }
- if (sysPriGrantOpt == null) {
- sysPriGrantOpt = new HashSet<>();
+ public void setSysPrivilegeSet(Set<PrivilegeType> privilegeSet) {
+ this.sysPrivilegeSet = privilegeSet;
+ }
+
+ public void setSysPrivilegeSetInt(Set<Integer> privilegeSet) {
+ for (Integer priv : privilegeSet) {
+ this.sysPrivilegeSet.add(PrivilegeType.values()[priv]);
}
+ }
+
+ public void setSysPrivilegesWithMask(int privMask) {
+ final int SYS_PRI_SIZE =
PrivilegeType.getPrivilegeCount(PrivilegeModelType.SYSTEM);
for (int i = 0; i < SYS_PRI_SIZE; i++) {
- if ((privilegeMask & (1 << i)) != 0) {
+ if ((privMask & (1 << i)) != 0) {
sysPrivilegeSet.add(AuthUtils.posToSysPri(i));
+ if ((privMask & (1 << (i + 16))) != 0) {
+ sysPriGrantOpt.add(AuthUtils.posToSysPri(i));
+ }
}
- if ((privilegeMask & (1 << (i + 16))) != 0) {
- sysPriGrantOpt.add(AuthUtils.posToSysPri(i));
+ }
+ }
+
+ public void setAnyScopePrivilegeSetWithMask(int privMask) {
+ final int PRI_COUNT =
PrivilegeType.getPrivilegeCount(PrivilegeModelType.RELATIONAL);
+ for (int i = 0; i < PRI_COUNT; i++) {
+ if ((privMask & (1 << i)) != 0) {
+ anyScopePrivilegeSet.add(AuthUtils.posToObjPri(i));
+ if ((privMask & (1 << (i + 16))) != 0) {
+ anyScopePrivileGrantOptSet.add(AuthUtils.posToObjPri(i));
+ }
}
}
}
- public void addSysPrivilege(int privilegeId) {
- sysPrivilegeSet.add(privilegeId);
+ public void setSysPriGrantOpt(Set<PrivilegeType> grantOpt) {
+ this.sysPriGrantOpt = grantOpt;
+ }
+
+ public void setSysPriGrantOptInt(Set<Integer> grantOptInt) {
+ for (Integer priv : grantOptInt) {
+ this.sysPriGrantOpt.add(PrivilegeType.values()[priv]);
+ }
+ }
+
+ public void grantSysPrivilege(PrivilegeType priv, boolean grantOpt) {
+ sysPrivilegeSet.add(priv);
+ if (grantOpt) {
+ sysPriGrantOpt.add(priv);
+ }
+ }
+
+ private DatabasePrivilege getObjectPrivilegeInternal(String dbName) {
+ return objectPrivilegeMap.computeIfAbsent(dbName, DatabasePrivilege::new);
+ }
+
+ public void grantAnyScopePrivilege(PrivilegeType priv, boolean grantOpt) {
+ anyScopePrivilegeSet.add(priv);
+ if (grantOpt) {
+ anyScopePrivileGrantOptSet.add(priv);
+ }
+ }
+
+ public void revokeAnyScopePrivilege(PrivilegeType priv) {
+ anyScopePrivilegeSet.remove(priv);
+ anyScopePrivileGrantOptSet.remove(priv);
+ }
+
+ public void revokeAnyScopePrivilegeGrantOption(PrivilegeType priv) {
+ anyScopePrivileGrantOptSet.remove(priv);
+ }
+
+ public void grantDBPrivilege(String dbName, PrivilegeType priv, boolean
grantOption) {
+ DatabasePrivilege databasePrivilege = getObjectPrivilege(dbName);
+ databasePrivilege.grantDBPrivilege(priv);
+ if (grantOption) {
+ databasePrivilege.grantDBGrantOption(priv);
+ }
}
- public void removeSysPrivilege(int privilegeId) {
- sysPrivilegeSet.remove(privilegeId);
+ public void grantTBPrivilege(
+ String dbName, String tbName, PrivilegeType priv, boolean grantOption) {
+ DatabasePrivilege databasePrivilege = getObjectPrivilege(dbName);
+ databasePrivilege.grantTablePrivilege(tbName, priv);
+ if (grantOption) {
+ databasePrivilege.grantTableGrantOption(tbName, priv);
+ }
}
- public void setServiceReady(boolean ready) {
- serviceReady = ready;
+ public void revokeDBPrivilege(String dbName, PrivilegeType priv) {
+ DatabasePrivilege databasePrivilege = getObjectPrivilegeInternal(dbName);
+ databasePrivilege.revokeDBPrivilege(priv);
+ databasePrivilege.revokeDBGrantOption(priv);
+ if (databasePrivilege.getTablePrivilegeMap().isEmpty()
+ && databasePrivilege.getPrivilegeSet().isEmpty()) {
+ objectPrivilegeMap.remove(dbName);
+ }
+ }
+
+ public void revokeDBPrivilegeGrantOption(String dbName, PrivilegeType priv) {
+ if (!objectPrivilegeMap.containsKey(dbName)) {
+ return;
+ }
+ DatabasePrivilege databasePrivilege = objectPrivilegeMap.get(dbName);
+ databasePrivilege.revokeDBGrantOption(priv);
+ }
+
+ public void revokeTBPrivilege(String dbName, String tbName, PrivilegeType
priv) {
+ DatabasePrivilege databasePrivilege = getObjectPrivilegeInternal(dbName);
+ databasePrivilege.revokeTableGrantOption(tbName, priv);
+ databasePrivilege.revokeTablePrivilege(tbName, priv);
+ if (databasePrivilege.getTablePrivilegeMap().isEmpty()
+ && databasePrivilege.getPrivilegeSet().isEmpty()) {
+ this.objectPrivilegeMap.remove(dbName);
+ }
+ }
+
+ public void revokeTBPrivilegeGrantOption(String dbName, String tbName,
PrivilegeType priv) {
+ if (!objectPrivilegeMap.containsKey(dbName)) {
+ return;
+ }
+ DatabasePrivilege databasePrivilege = objectPrivilegeMap.get(dbName);
+ if (!databasePrivilege.getTablePrivilegeMap().containsKey(tbName)) {
+ return;
+ }
+ TablePrivilege tablePrivilege =
databasePrivilege.getTablePrivilegeMap().get(tbName);
+ tablePrivilege.revokeGrantOption(priv);
+ }
+
+ public void grantSysPrivilegeGrantOption(PrivilegeType priv) {
+ sysPriGrantOpt.add(priv);
+ }
+
+ public void revokeSysPrivilege(PrivilegeType priv) {
+ sysPrivilegeSet.remove(priv);
}
/** ------------ check func ---------------* */
- public boolean hasPrivilegeToRevoke(PartialPath path, int privilegeId) {
- if (path == null) {
- return sysPrivilegeSet.contains(privilegeId);
- } else {
- return AuthUtils.hasPrivilegeToReovke(path, privilegeId,
pathPrivilegeList);
+ public boolean hasPrivilegeToRevoke(PartialPath path, PrivilegeType priv) {
+ return AuthUtils.hasPrivilegeToRevoke(path, priv, pathPrivilegeList);
+ }
+
+ public boolean hasPrivilegeToRevoke(PrivilegeType priv) {
+ return this.sysPrivilegeSet.contains(priv);
+ }
+
+ public boolean hasPrivilegeToRevoke(String dbname, PrivilegeType priv) {
+ return this.objectPrivilegeMap.containsKey(dbname)
+ && this.objectPrivilegeMap.get(dbname).checkDBPrivilege(priv);
+ }
+
+ public boolean hasPrivilegeToRevoke(String dbname, String tbName,
PrivilegeType priv) {
+ return this.objectPrivilegeMap.containsKey(dbname)
+ && this.objectPrivilegeMap.get(dbname).checkTablePrivilege(tbName,
priv);
+ }
+
+ public boolean checkAnyScopePrivilege(PrivilegeType priv) {
+ return anyScopePrivilegeSet.contains(priv);
+ }
+
+ public boolean checkDatabasePrivilege(String dbname, PrivilegeType priv) {
+ return checkAnyScopePrivilege(priv)
+ || (this.objectPrivilegeMap.containsKey(dbname)
+ && this.objectPrivilegeMap.get(dbname).checkDBPrivilege(priv));
+ }
+
+ public boolean checkTablePrivilege(String dbname, String table,
PrivilegeType priv) {
+ return checkAnyScopePrivilege(priv)
+ || (this.objectPrivilegeMap.containsKey(dbname)
+ && (this.objectPrivilegeMap.get(dbname).checkDBPrivilege(priv)
+ ||
this.objectPrivilegeMap.get(dbname).checkTablePrivilege(table, priv)));
+ }
+
+ public boolean checkDatabasePrivilegeGrantOption(String dbname,
PrivilegeType priv) {
+ if (checkAnyScopePrivilegeGrantOption(priv)) {
+ return true;
}
+ return this.objectPrivilegeMap.containsKey(dbname)
+ && this.objectPrivilegeMap.get(dbname).checkDBGrantOption(priv);
}
- public boolean checkPathPrivilege(PartialPath path, int privilegeId) {
- return AuthUtils.checkPathPrivilege(path, privilegeId, pathPrivilegeList);
+ public boolean checkTablePrivilegeGrantOption(String dbname, String table,
PrivilegeType priv) {
+ if (checkAnyScopePrivilegeGrantOption(priv)) {
+ return true;
+ }
+ if (checkDatabasePrivilegeGrantOption(dbname, priv)) {
+ return true;
+ }
+ return this.objectPrivilegeMap.containsKey(dbname)
+ && this.objectPrivilegeMap.get(dbname).checkTableGrantOption(table,
priv);
+ }
+
+ public boolean checkAnyScopePrivilegeGrantOption(PrivilegeType priv) {
+ return this.anyScopePrivileGrantOptSet.contains(priv)
+ && this.anyScopePrivilegeSet.contains(priv);
+ }
+
+ public boolean checkPathPrivilege(PartialPath path, PrivilegeType priv) {
+ return AuthUtils.checkPathPrivilege(path, priv, pathPrivilegeList);
+ }
+
+ public boolean checkPathPrivilegeGrantOpt(PartialPath path, PrivilegeType
priv) {
+ return AuthUtils.checkPathPrivilegeGrantOpt(path, priv, pathPrivilegeList);
+ }
+
+ public boolean checkSysPrivilege(PrivilegeType priv) {
+ return sysPrivilegeSet.contains(priv);
+ }
+
+ public boolean checkSysPriGrantOpt(PrivilegeType priv) {
+ return sysPrivilegeSet.contains(priv) && sysPriGrantOpt.contains(priv);
}
- public boolean checkPathPrivilegeGrantOpt(PartialPath path, int privilegeId)
{
- return AuthUtils.checkPathPrivilegeGrantOpt(path, privilegeId,
pathPrivilegeList);
+ public boolean checkDBVisible(String database) {
+ return !anyScopePrivilegeSet.isEmpty() ||
objectPrivilegeMap.containsKey(database);
}
- public boolean checkSysPrivilege(int privilegeId) {
- return sysPrivilegeSet.contains(privilegeId);
+ public boolean checkTBVisible(String database, String tbName) {
+ return !anyScopePrivilegeSet.isEmpty()
+ || (objectPrivilegeMap.containsKey(database)
+ &&
objectPrivilegeMap.get(database).getTablePrivilegeMap().containsKey(tbName));
Review Comment:
Seemingly this shall be "||" according to the definition? Though you may
need to check if any DB privileges exist....
##########
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/role/BasicRoleManager.java:
##########
@@ -35,197 +36,205 @@
import java.util.HashMap;
import java.util.List;
import java.util.Map;
-import java.util.Map.Entry;
/**
* This class reads roles from local files through LocalFileRoleAccessor and
manages them in a hash
* map. We save all roles in our memory. Before providing service, we should
load all role
* information from filesystem. Access filesystem only happens at
starting、taking snapshot、 loading
* snapshot.
*/
-public abstract class BasicRoleManager implements IRoleManager {
+public abstract class BasicRoleManager implements IEntryManager,
SnapshotProcessor {
- protected Map<String, Role> roleMap;
- protected IRoleAccessor accessor;
- protected HashLock lock;
- private boolean preVersion = false;
+ protected Map<String, Role> entryMap;
+ protected IEntryAccessor accessor;
+ protected HashLock lock;
private static final Logger LOGGER =
LoggerFactory.getLogger(BasicRoleManager.class);
- BasicRoleManager(LocalFileRoleAccessor accessor) {
- this.roleMap = new HashMap<>();
+ protected TSStatusCode getEntryNotExistErrorCode() {
+ return TSStatusCode.ROLE_NOT_EXIST;
+ }
+
+ protected String getNoSuchEntryError() {
+ return "No such role %s";
+ }
+
+ protected BasicRoleManager() {
+ this.entryMap = new HashMap<>();
+ this.lock = new HashLock();
+ }
+
+ protected BasicRoleManager(IEntryAccessor accessor) {
+ this.entryMap = new HashMap<>();
this.accessor = accessor;
this.lock = new HashLock();
this.accessor.reset();
}
- @Override
- public Role getRole(String rolename) {
- lock.readLock(rolename);
- Role role = roleMap.get(rolename);
- lock.readUnlock(rolename);
+ public Role getEntry(String entryName) {
+ lock.readLock(entryName);
+ Role role = entryMap.get(entryName);
+ lock.readUnlock(entryName);
return role;
}
- @Override
- public boolean createRole(String rolename) throws AuthException {
-
- Role role = getRole(rolename);
+ public boolean createEntry(String entryName) {
+ Role role = getEntry(entryName);
if (role != null) {
return false;
}
- lock.writeLock(rolename);
- role = new Role(rolename);
- roleMap.put(rolename, role);
- lock.writeUnlock(rolename);
+ lock.writeLock(entryName);
+ role = new Role(entryName);
+ entryMap.put(entryName, role);
+ lock.writeUnlock(entryName);
return true;
}
- @Override
- public boolean deleteRole(String rolename) {
- lock.writeLock(rolename);
- try {
- return roleMap.remove(rolename) != null;
- } finally {
- lock.writeUnlock(rolename);
- }
+ public boolean deleteEntry(String entryName) {
+ lock.writeLock(entryName);
+ boolean result = entryMap.remove(entryName) != null;
+ lock.writeUnlock(entryName);
+ return result;
}
- @Override
- public void grantPrivilegeToRole(
- String rolename, PartialPath path, int privilegeId, boolean grantOpt)
throws AuthException {
- lock.writeLock(rolename);
+ public void grantPrivilegeToEntry(String entryName, PrivilegeUnion
privilegeUnion)
+ throws AuthException {
+ lock.writeLock(entryName);
try {
- Role role = getRole(rolename);
+ Role role = getEntry(entryName);
if (role == null) {
throw new AuthException(
- TSStatusCode.ROLE_NOT_EXIST, String.format("No such role %s",
rolename));
+ getEntryNotExistErrorCode(), String.format(getNoSuchEntryError(),
entryName));
}
- // Pre version's operation:
- // all privileges are stored in path privileges.
- // global privileges will come with root.**
- // need to handle privileges ALL there.
- if (preVersion) {
- AuthUtils.validatePath(path);
- if (privilegeId == PriPrivilegeType.ALL.ordinal()) {
- for (PriPrivilegeType type : PriPrivilegeType.values()) {
- role.addPathPrivilege(path, type.ordinal(), false);
+ switch (privilegeUnion.getModelType()) {
+ case TREE:
+ AuthUtils.validatePatternPath(privilegeUnion.getPath());
+ role.grantPathPrivilege(
+ privilegeUnion.getPath(),
+ privilegeUnion.getPrivilegeType(),
+ privilegeUnion.isGrantOption());
+ break;
+ case SYSTEM:
+ PrivilegeType type = privilegeUnion.getPrivilegeType();
+ role.grantSysPrivilege(type, privilegeUnion.isGrantOption());
+ break;
+ case RELATIONAL:
+ if (privilegeUnion.isForAny()) {
+ role.grantAnyScopePrivilege(
+ privilegeUnion.getPrivilegeType(),
privilegeUnion.isGrantOption());
+ break;
}
- } else {
- role.addPathPrivilege(path, privilegeId, false);
- }
- // mark that the user has pre Version's privilege.
- if (role.getServiceReady()) {
- role.setServiceReady(false);
- }
- return;
- }
-
- if (path != null) {
- AuthUtils.validatePatternPath(path);
- role.addPathPrivilege(path, privilegeId, grantOpt);
- } else {
- role.getSysPrivilege().add(privilegeId);
- if (grantOpt) {
- role.getSysPriGrantOpt().add(privilegeId);
- }
+ if (privilegeUnion.getDBName() != null && privilegeUnion.getTbName()
== null) {
+ role.grantDBPrivilege(
+ privilegeUnion.getDBName(),
+ privilegeUnion.getPrivilegeType(),
+ privilegeUnion.isGrantOption());
+ } else if (privilegeUnion.getDBName() != null &&
privilegeUnion.getTbName() != null) {
+ role.grantTBPrivilege(
+ privilegeUnion.getDBName(),
+ privilegeUnion.getTbName(),
+ privilegeUnion.getPrivilegeType(),
+ privilegeUnion.isGrantOption());
+ }
+ break;
+ default:
+ LOGGER.warn("Not support model type {}",
privilegeUnion.getModelType());
}
} finally {
- lock.writeUnlock(rolename);
+ lock.writeUnlock(entryName);
}
}
- @Override
- public boolean revokePrivilegeFromRole(String rolename, PartialPath path,
int privilegeId)
+ public boolean revokePrivilegeFromEntry(String entryName, PrivilegeUnion
privilegeUnion)
throws AuthException {
- lock.writeLock(rolename);
+ lock.writeLock(entryName);
+ PrivilegeType privilegeType = privilegeUnion.getPrivilegeType();
+ boolean isGrantOption = privilegeUnion.isGrantOption();
+ boolean isAnyScope = privilegeUnion.isForAny();
+ String dbName = privilegeUnion.getDBName();
+ String tbName = privilegeUnion.getTbName();
try {
- Role role = getRole(rolename);
+ Role role = getEntry(entryName);
if (role == null) {
throw new AuthException(
- TSStatusCode.ROLE_NOT_EXIST, String.format("No such role %s",
rolename));
- }
- if (preVersion) {
- if (!AuthUtils.hasPrivilege(path, privilegeId,
role.getPathPrivilegeList())) {
- return false;
- }
- AuthUtils.removePrivilegePre(path, privilegeId,
role.getPathPrivilegeList());
- return true;
+ getEntryNotExistErrorCode(), String.format(getNoSuchEntryError(),
entryName));
}
-
- if (!role.hasPrivilegeToRevoke(path, privilegeId)) {
- return false;
- }
- if (path != null) {
- AuthUtils.validatePatternPath(path);
- role.removePathPrivilege(path, privilegeId);
- } else {
- role.getSysPrivilege().remove(privilegeId);
- role.getSysPriGrantOpt().remove(privilegeId);
+ switch (privilegeUnion.getModelType()) {
+ case TREE:
+ if (isGrantOption) {
+ role.revokePathPrivilegeGrantOption(privilegeUnion.getPath(),
privilegeType);
+ return true;
+ }
+ if (!role.hasPrivilegeToRevoke(privilegeUnion.getPath(),
privilegeType)) {
+ return false;
+ }
+ role.revokePathPrivilege(privilegeUnion.getPath(), privilegeType);
+ break;
+ case RELATIONAL:
+ if (isAnyScope) {
+ if (isGrantOption) {
+ role.revokeAnyScopePrivilegeGrantOption(privilegeType);
+ return true;
+ }
+ role.revokeAnyScopePrivilege(privilegeType);
+ break;
+ }
+ // for tb
+ if (privilegeUnion.getTbName() != null) {
+ if (isGrantOption) {
+ role.revokeTBPrivilegeGrantOption(dbName, tbName, privilegeType);
+ return true;
+ }
+ if (role.hasPrivilegeToRevoke(dbName, tbName, privilegeType)) {
+ role.revokeTBPrivilege(dbName, tbName, privilegeType);
+ return true;
+ }
+ // for db
+ } else {
+ if (isGrantOption) {
+ role.revokeDBPrivilegeGrantOption(dbName, privilegeType);
+ return true;
+ }
+ if (role.hasPrivilegeToRevoke(dbName, privilegeType)) {
+ role.revokeDBPrivilege(dbName, privilegeType);
+ }
+ return true;
+ }
+ break;
+ case SYSTEM:
Review Comment:
May add "revokeSysGrantOption" here.
##########
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/role/BasicRoleManager.java:
##########
@@ -35,197 +36,205 @@
import java.util.HashMap;
import java.util.List;
import java.util.Map;
-import java.util.Map.Entry;
/**
* This class reads roles from local files through LocalFileRoleAccessor and
manages them in a hash
* map. We save all roles in our memory. Before providing service, we should
load all role
* information from filesystem. Access filesystem only happens at
starting、taking snapshot、 loading
* snapshot.
*/
-public abstract class BasicRoleManager implements IRoleManager {
+public abstract class BasicRoleManager implements IEntryManager,
SnapshotProcessor {
- protected Map<String, Role> roleMap;
- protected IRoleAccessor accessor;
- protected HashLock lock;
- private boolean preVersion = false;
+ protected Map<String, Role> entryMap;
+ protected IEntryAccessor accessor;
+ protected HashLock lock;
private static final Logger LOGGER =
LoggerFactory.getLogger(BasicRoleManager.class);
- BasicRoleManager(LocalFileRoleAccessor accessor) {
- this.roleMap = new HashMap<>();
+ protected TSStatusCode getEntryNotExistErrorCode() {
+ return TSStatusCode.ROLE_NOT_EXIST;
+ }
+
+ protected String getNoSuchEntryError() {
+ return "No such role %s";
+ }
+
+ protected BasicRoleManager() {
+ this.entryMap = new HashMap<>();
+ this.lock = new HashLock();
+ }
+
+ protected BasicRoleManager(IEntryAccessor accessor) {
+ this.entryMap = new HashMap<>();
this.accessor = accessor;
this.lock = new HashLock();
this.accessor.reset();
}
- @Override
- public Role getRole(String rolename) {
- lock.readLock(rolename);
- Role role = roleMap.get(rolename);
- lock.readUnlock(rolename);
+ public Role getEntry(String entryName) {
+ lock.readLock(entryName);
+ Role role = entryMap.get(entryName);
+ lock.readUnlock(entryName);
return role;
}
- @Override
- public boolean createRole(String rolename) throws AuthException {
-
- Role role = getRole(rolename);
+ public boolean createEntry(String entryName) {
+ Role role = getEntry(entryName);
if (role != null) {
return false;
}
- lock.writeLock(rolename);
- role = new Role(rolename);
- roleMap.put(rolename, role);
- lock.writeUnlock(rolename);
+ lock.writeLock(entryName);
+ role = new Role(entryName);
+ entryMap.put(entryName, role);
+ lock.writeUnlock(entryName);
return true;
}
- @Override
- public boolean deleteRole(String rolename) {
- lock.writeLock(rolename);
- try {
- return roleMap.remove(rolename) != null;
- } finally {
- lock.writeUnlock(rolename);
- }
+ public boolean deleteEntry(String entryName) {
+ lock.writeLock(entryName);
+ boolean result = entryMap.remove(entryName) != null;
+ lock.writeUnlock(entryName);
+ return result;
}
- @Override
- public void grantPrivilegeToRole(
- String rolename, PartialPath path, int privilegeId, boolean grantOpt)
throws AuthException {
- lock.writeLock(rolename);
+ public void grantPrivilegeToEntry(String entryName, PrivilegeUnion
privilegeUnion)
+ throws AuthException {
+ lock.writeLock(entryName);
try {
- Role role = getRole(rolename);
+ Role role = getEntry(entryName);
if (role == null) {
throw new AuthException(
- TSStatusCode.ROLE_NOT_EXIST, String.format("No such role %s",
rolename));
+ getEntryNotExistErrorCode(), String.format(getNoSuchEntryError(),
entryName));
}
- // Pre version's operation:
- // all privileges are stored in path privileges.
- // global privileges will come with root.**
- // need to handle privileges ALL there.
- if (preVersion) {
- AuthUtils.validatePath(path);
- if (privilegeId == PriPrivilegeType.ALL.ordinal()) {
- for (PriPrivilegeType type : PriPrivilegeType.values()) {
- role.addPathPrivilege(path, type.ordinal(), false);
+ switch (privilegeUnion.getModelType()) {
+ case TREE:
+ AuthUtils.validatePatternPath(privilegeUnion.getPath());
+ role.grantPathPrivilege(
+ privilegeUnion.getPath(),
+ privilegeUnion.getPrivilegeType(),
+ privilegeUnion.isGrantOption());
+ break;
+ case SYSTEM:
+ PrivilegeType type = privilegeUnion.getPrivilegeType();
+ role.grantSysPrivilege(type, privilegeUnion.isGrantOption());
+ break;
+ case RELATIONAL:
+ if (privilegeUnion.isForAny()) {
+ role.grantAnyScopePrivilege(
+ privilegeUnion.getPrivilegeType(),
privilegeUnion.isGrantOption());
+ break;
}
- } else {
- role.addPathPrivilege(path, privilegeId, false);
- }
- // mark that the user has pre Version's privilege.
- if (role.getServiceReady()) {
- role.setServiceReady(false);
- }
- return;
- }
-
- if (path != null) {
- AuthUtils.validatePatternPath(path);
- role.addPathPrivilege(path, privilegeId, grantOpt);
- } else {
- role.getSysPrivilege().add(privilegeId);
- if (grantOpt) {
- role.getSysPriGrantOpt().add(privilegeId);
- }
+ if (privilegeUnion.getDBName() != null && privilegeUnion.getTbName()
== null) {
+ role.grantDBPrivilege(
+ privilegeUnion.getDBName(),
+ privilegeUnion.getPrivilegeType(),
+ privilegeUnion.isGrantOption());
+ } else if (privilegeUnion.getDBName() != null &&
privilegeUnion.getTbName() != null) {
+ role.grantTBPrivilege(
+ privilegeUnion.getDBName(),
+ privilegeUnion.getTbName(),
+ privilegeUnion.getPrivilegeType(),
+ privilegeUnion.isGrantOption());
+ }
+ break;
+ default:
+ LOGGER.warn("Not support model type {}",
privilegeUnion.getModelType());
}
} finally {
- lock.writeUnlock(rolename);
+ lock.writeUnlock(entryName);
}
}
- @Override
- public boolean revokePrivilegeFromRole(String rolename, PartialPath path,
int privilegeId)
+ public boolean revokePrivilegeFromEntry(String entryName, PrivilegeUnion
privilegeUnion)
throws AuthException {
- lock.writeLock(rolename);
+ lock.writeLock(entryName);
+ PrivilegeType privilegeType = privilegeUnion.getPrivilegeType();
+ boolean isGrantOption = privilegeUnion.isGrantOption();
+ boolean isAnyScope = privilegeUnion.isForAny();
+ String dbName = privilegeUnion.getDBName();
+ String tbName = privilegeUnion.getTbName();
try {
- Role role = getRole(rolename);
+ Role role = getEntry(entryName);
if (role == null) {
throw new AuthException(
- TSStatusCode.ROLE_NOT_EXIST, String.format("No such role %s",
rolename));
- }
- if (preVersion) {
- if (!AuthUtils.hasPrivilege(path, privilegeId,
role.getPathPrivilegeList())) {
- return false;
- }
- AuthUtils.removePrivilegePre(path, privilegeId,
role.getPathPrivilegeList());
- return true;
+ getEntryNotExistErrorCode(), String.format(getNoSuchEntryError(),
entryName));
}
-
- if (!role.hasPrivilegeToRevoke(path, privilegeId)) {
- return false;
- }
- if (path != null) {
- AuthUtils.validatePatternPath(path);
- role.removePathPrivilege(path, privilegeId);
- } else {
- role.getSysPrivilege().remove(privilegeId);
- role.getSysPriGrantOpt().remove(privilegeId);
+ switch (privilegeUnion.getModelType()) {
+ case TREE:
+ if (isGrantOption) {
+ role.revokePathPrivilegeGrantOption(privilegeUnion.getPath(),
privilegeType);
+ return true;
+ }
+ if (!role.hasPrivilegeToRevoke(privilegeUnion.getPath(),
privilegeType)) {
+ return false;
+ }
+ role.revokePathPrivilege(privilegeUnion.getPath(), privilegeType);
+ break;
+ case RELATIONAL:
+ if (isAnyScope) {
+ if (isGrantOption) {
+ role.revokeAnyScopePrivilegeGrantOption(privilegeType);
+ return true;
+ }
+ role.revokeAnyScopePrivilege(privilegeType);
+ break;
+ }
+ // for tb
+ if (privilegeUnion.getTbName() != null) {
+ if (isGrantOption) {
+ role.revokeTBPrivilegeGrantOption(dbName, tbName, privilegeType);
+ return true;
+ }
+ if (role.hasPrivilegeToRevoke(dbName, tbName, privilegeType)) {
+ role.revokeTBPrivilege(dbName, tbName, privilegeType);
+ return true;
+ }
+ // for db
+ } else {
+ if (isGrantOption) {
+ role.revokeDBPrivilegeGrantOption(dbName, privilegeType);
+ return true;
+ }
+ if (role.hasPrivilegeToRevoke(dbName, privilegeType)) {
Review Comment:
Seems useless here?
##########
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/Role.java:
##########
@@ -193,33 +535,43 @@ public boolean equals(Object o) {
return Objects.equals(name, role.name)
&& Objects.equals(pathPrivilegeList, role.pathPrivilegeList)
&& Objects.equals(sysPrivilegeSet, role.sysPrivilegeSet)
- && Objects.equals(sysPriGrantOpt, role.sysPriGrantOpt);
+ && Objects.equals(sysPriGrantOpt, role.sysPriGrantOpt)
+ && Objects.equals(objectPrivilegeMap, role.objectPrivilegeMap);
}
@Override
public int hashCode() {
return Objects.hash(name, pathPrivilegeList, sysPrivilegeSet);
Review Comment:
hashCode?
##########
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/role/BasicRoleManager.java:
##########
@@ -35,197 +36,205 @@
import java.util.HashMap;
import java.util.List;
import java.util.Map;
-import java.util.Map.Entry;
/**
* This class reads roles from local files through LocalFileRoleAccessor and
manages them in a hash
* map. We save all roles in our memory. Before providing service, we should
load all role
* information from filesystem. Access filesystem only happens at
starting、taking snapshot、 loading
* snapshot.
*/
-public abstract class BasicRoleManager implements IRoleManager {
+public abstract class BasicRoleManager implements IEntryManager,
SnapshotProcessor {
- protected Map<String, Role> roleMap;
- protected IRoleAccessor accessor;
- protected HashLock lock;
- private boolean preVersion = false;
+ protected Map<String, Role> entryMap;
+ protected IEntryAccessor accessor;
+ protected HashLock lock;
private static final Logger LOGGER =
LoggerFactory.getLogger(BasicRoleManager.class);
- BasicRoleManager(LocalFileRoleAccessor accessor) {
- this.roleMap = new HashMap<>();
+ protected TSStatusCode getEntryNotExistErrorCode() {
+ return TSStatusCode.ROLE_NOT_EXIST;
+ }
+
+ protected String getNoSuchEntryError() {
+ return "No such role %s";
+ }
+
+ protected BasicRoleManager() {
+ this.entryMap = new HashMap<>();
+ this.lock = new HashLock();
+ }
+
+ protected BasicRoleManager(IEntryAccessor accessor) {
+ this.entryMap = new HashMap<>();
this.accessor = accessor;
this.lock = new HashLock();
this.accessor.reset();
}
- @Override
- public Role getRole(String rolename) {
- lock.readLock(rolename);
- Role role = roleMap.get(rolename);
- lock.readUnlock(rolename);
+ public Role getEntry(String entryName) {
+ lock.readLock(entryName);
+ Role role = entryMap.get(entryName);
+ lock.readUnlock(entryName);
return role;
}
- @Override
- public boolean createRole(String rolename) throws AuthException {
-
- Role role = getRole(rolename);
+ public boolean createEntry(String entryName) {
+ Role role = getEntry(entryName);
if (role != null) {
return false;
}
- lock.writeLock(rolename);
- role = new Role(rolename);
- roleMap.put(rolename, role);
- lock.writeUnlock(rolename);
+ lock.writeLock(entryName);
+ role = new Role(entryName);
+ entryMap.put(entryName, role);
+ lock.writeUnlock(entryName);
return true;
}
- @Override
- public boolean deleteRole(String rolename) {
- lock.writeLock(rolename);
- try {
- return roleMap.remove(rolename) != null;
- } finally {
- lock.writeUnlock(rolename);
- }
+ public boolean deleteEntry(String entryName) {
+ lock.writeLock(entryName);
+ boolean result = entryMap.remove(entryName) != null;
+ lock.writeUnlock(entryName);
+ return result;
}
- @Override
- public void grantPrivilegeToRole(
- String rolename, PartialPath path, int privilegeId, boolean grantOpt)
throws AuthException {
- lock.writeLock(rolename);
+ public void grantPrivilegeToEntry(String entryName, PrivilegeUnion
privilegeUnion)
+ throws AuthException {
+ lock.writeLock(entryName);
try {
- Role role = getRole(rolename);
+ Role role = getEntry(entryName);
if (role == null) {
throw new AuthException(
- TSStatusCode.ROLE_NOT_EXIST, String.format("No such role %s",
rolename));
+ getEntryNotExistErrorCode(), String.format(getNoSuchEntryError(),
entryName));
}
- // Pre version's operation:
- // all privileges are stored in path privileges.
- // global privileges will come with root.**
- // need to handle privileges ALL there.
- if (preVersion) {
- AuthUtils.validatePath(path);
- if (privilegeId == PriPrivilegeType.ALL.ordinal()) {
- for (PriPrivilegeType type : PriPrivilegeType.values()) {
- role.addPathPrivilege(path, type.ordinal(), false);
+ switch (privilegeUnion.getModelType()) {
+ case TREE:
+ AuthUtils.validatePatternPath(privilegeUnion.getPath());
+ role.grantPathPrivilege(
+ privilegeUnion.getPath(),
+ privilegeUnion.getPrivilegeType(),
+ privilegeUnion.isGrantOption());
+ break;
+ case SYSTEM:
+ PrivilegeType type = privilegeUnion.getPrivilegeType();
+ role.grantSysPrivilege(type, privilegeUnion.isGrantOption());
+ break;
+ case RELATIONAL:
+ if (privilegeUnion.isForAny()) {
+ role.grantAnyScopePrivilege(
+ privilegeUnion.getPrivilegeType(),
privilegeUnion.isGrantOption());
+ break;
}
- } else {
- role.addPathPrivilege(path, privilegeId, false);
- }
- // mark that the user has pre Version's privilege.
- if (role.getServiceReady()) {
- role.setServiceReady(false);
- }
- return;
- }
-
- if (path != null) {
- AuthUtils.validatePatternPath(path);
- role.addPathPrivilege(path, privilegeId, grantOpt);
- } else {
- role.getSysPrivilege().add(privilegeId);
- if (grantOpt) {
- role.getSysPriGrantOpt().add(privilegeId);
- }
+ if (privilegeUnion.getDBName() != null && privilegeUnion.getTbName()
== null) {
+ role.grantDBPrivilege(
+ privilegeUnion.getDBName(),
+ privilegeUnion.getPrivilegeType(),
+ privilegeUnion.isGrantOption());
+ } else if (privilegeUnion.getDBName() != null &&
privilegeUnion.getTbName() != null) {
+ role.grantTBPrivilege(
+ privilegeUnion.getDBName(),
+ privilegeUnion.getTbName(),
+ privilegeUnion.getPrivilegeType(),
+ privilegeUnion.isGrantOption());
+ }
+ break;
+ default:
+ LOGGER.warn("Not support model type {}",
privilegeUnion.getModelType());
}
} finally {
- lock.writeUnlock(rolename);
+ lock.writeUnlock(entryName);
}
}
- @Override
- public boolean revokePrivilegeFromRole(String rolename, PartialPath path,
int privilegeId)
+ public boolean revokePrivilegeFromEntry(String entryName, PrivilegeUnion
privilegeUnion)
throws AuthException {
- lock.writeLock(rolename);
+ lock.writeLock(entryName);
+ PrivilegeType privilegeType = privilegeUnion.getPrivilegeType();
+ boolean isGrantOption = privilegeUnion.isGrantOption();
+ boolean isAnyScope = privilegeUnion.isForAny();
+ String dbName = privilegeUnion.getDBName();
+ String tbName = privilegeUnion.getTbName();
try {
- Role role = getRole(rolename);
+ Role role = getEntry(entryName);
if (role == null) {
throw new AuthException(
- TSStatusCode.ROLE_NOT_EXIST, String.format("No such role %s",
rolename));
- }
- if (preVersion) {
- if (!AuthUtils.hasPrivilege(path, privilegeId,
role.getPathPrivilegeList())) {
- return false;
- }
- AuthUtils.removePrivilegePre(path, privilegeId,
role.getPathPrivilegeList());
- return true;
+ getEntryNotExistErrorCode(), String.format(getNoSuchEntryError(),
entryName));
}
-
- if (!role.hasPrivilegeToRevoke(path, privilegeId)) {
- return false;
- }
- if (path != null) {
- AuthUtils.validatePatternPath(path);
- role.removePathPrivilege(path, privilegeId);
- } else {
- role.getSysPrivilege().remove(privilegeId);
- role.getSysPriGrantOpt().remove(privilegeId);
+ switch (privilegeUnion.getModelType()) {
+ case TREE:
+ if (isGrantOption) {
+ role.revokePathPrivilegeGrantOption(privilegeUnion.getPath(),
privilegeType);
+ return true;
+ }
+ if (!role.hasPrivilegeToRevoke(privilegeUnion.getPath(),
privilegeType)) {
+ return false;
+ }
+ role.revokePathPrivilege(privilegeUnion.getPath(), privilegeType);
+ break;
+ case RELATIONAL:
+ if (isAnyScope) {
+ if (isGrantOption) {
+ role.revokeAnyScopePrivilegeGrantOption(privilegeType);
+ return true;
+ }
+ role.revokeAnyScopePrivilege(privilegeType);
+ break;
+ }
+ // for tb
+ if (privilegeUnion.getTbName() != null) {
+ if (isGrantOption) {
+ role.revokeTBPrivilegeGrantOption(dbName, tbName, privilegeType);
+ return true;
+ }
+ if (role.hasPrivilegeToRevoke(dbName, tbName, privilegeType)) {
Review Comment:
Seems useless here?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
