Re: [PR] Permission for Relation model. [iotdb]

Tue, 21 Jan 2025 17:49:55 -0800 


Caideyipi commented on code in PR #13158:
URL: https://github.com/apache/iotdb/pull/13158#discussion_r1924581354


##########
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/role/LocalFileRoleAccessor.java:
##########
@@ -73,67 +76,126 @@
  * All user/role file store in config node's user/role folder. when our system 
start, we load all
  * user/role from folder. If we did some alter query, we just store raft log.
  */
-public class LocalFileRoleAccessor implements IRoleAccessor {
+public class LocalFileRoleAccessor implements IEntityAccessor {
   private static final Logger LOGGER = 
LoggerFactory.getLogger(LocalFileRoleAccessor.class);
-  private static final String TEMP_SUFFIX = ".temp";
-  private static final String STRING_ENCODING = "utf-8";
-  private static final String ROLE_SNAPSHOT_FILE_NAME = "system" + 
File.separator + "roles";
+  protected static final String TEMP_SUFFIX = ".temp";
+  protected static final String STRING_ENCODING = "utf-8";
+  protected final String entityDirPath;
 
-  private final String roleDirPath;
+  // It might be a good idea to use a Version number to control upgrade 
compatibility.
+  // Now it's version 1
+  protected static final int VERSION = 1;
 
   /**
    * Reused buffer for primitive types encoding/decoding, which aim to reduce 
memory fragments. Use
    * ThreadLocal for thread safety.
    */
-  private final ThreadLocal<ByteBuffer> encodingBufferLocal = new 
ThreadLocal<>();
+  protected final ThreadLocal<ByteBuffer> encodingBufferLocal = new 
ThreadLocal<>();
 
-  private final ThreadLocal<byte[]> strBufferLocal = new ThreadLocal<>();
+  protected final ThreadLocal<byte[]> strBufferLocal = new ThreadLocal<>();
 
   public LocalFileRoleAccessor(String roleDirPath) {
-    this.roleDirPath = roleDirPath;
+    this.entityDirPath = roleDirPath;
   }
 
-  /**
-   * @return role struct
-   * @throws IOException
-   */
-  @Override
-  public Role loadRole(String rolename) throws IOException {
-    File roleProfile =
+  protected String getEntitySnapshotFileName() {
+    return "system" + File.separator + "roles";
+  }
+
+  protected void saveEntityVersion(BufferedOutputStream outputStream) throws 
IOException {
+    IOUtils.writeInt(outputStream, VERSION, encodingBufferLocal);
+  }
+
+  protected void saveEntityName(BufferedOutputStream outputStream, Role role) 
throws IOException {
+    IOUtils.writeString(outputStream, role.getName(), STRING_ENCODING, 
encodingBufferLocal);
+  }
+
+  protected void savePrivileges(BufferedOutputStream outputStream, Role role) 
throws IOException {
+    IOUtils.writeInt(outputStream, role.getAllSysPrivileges(), 
encodingBufferLocal);
+    int privilegeNum = role.getPathPrivilegeList().size();
+    IOUtils.writeInt(outputStream, privilegeNum, encodingBufferLocal);
+    for (int i = 0; i < privilegeNum; i++) {
+      PathPrivilege pathPrivilege = role.getPathPrivilegeList().get(i);
+      IOUtils.writePathPrivilege(outputStream, pathPrivilege, STRING_ENCODING, 
encodingBufferLocal);
+    }
+    IOUtils.writeInt(outputStream, role.getAnyScopePrivileges(), 
encodingBufferLocal);
+    privilegeNum = role.getDBScopePrivilegeMap().size();
+    IOUtils.writeInt(outputStream, privilegeNum, encodingBufferLocal);
+    for (Map.Entry<String, DatabasePrivilege> objectPrivilegeMap :
+        role.getDBScopePrivilegeMap().entrySet()) {
+      IOUtils.writeObjectPrivilege(
+          outputStream, objectPrivilegeMap.getValue(), STRING_ENCODING, 
encodingBufferLocal);
+    }
+  }
+
+  protected void loadPrivileges(DataInputStream dataInputStream, Role role)
+      throws IOException, IllegalPathException {
+    role.setSysPrivilegesWithMask(dataInputStream.readInt());
+    int num = ReadWriteIOUtils.readInt(dataInputStream);
+    List<PathPrivilege> pathPrivilegeList = new ArrayList<>();
+    for (int i = 0; i < num; i++) {
+      pathPrivilegeList.add(
+          IOUtils.readPathPrivilege(dataInputStream, STRING_ENCODING, 
strBufferLocal));
+    }
+    role.setPrivilegeList(pathPrivilegeList);
+    
role.setAnyScopePrivilegeSetWithMask(ReadWriteIOUtils.readInt(dataInputStream));
+    Map<String, DatabasePrivilege> objectPrivilegeMap = new HashMap<>();
+    num = ReadWriteIOUtils.readInt(dataInputStream);
+    for (int i = 0; i < num; i++) {
+      DatabasePrivilege databasePrivilege =
+          IOUtils.readRelationalPrivilege(dataInputStream, STRING_ENCODING, 
strBufferLocal);
+      objectPrivilegeMap.put(databasePrivilege.getDatabaseName(), 
databasePrivilege);
+    }
+    role.setObjectPrivilegeMap(objectPrivilegeMap);
+  }
+
+  protected void saveRoles(Role role) throws IOException {
+    // Just used in LocalFileUserAccessor.java.
+    // Do nothing.
+  }
+
+  protected File checkFileAvailable(String entityName, String suffix) {
+    File userProfile =
         SystemFileFactory.INSTANCE.getFile(
-            roleDirPath + File.separator + rolename + 
IoTDBConstant.PROFILE_SUFFIX);
-    if (!roleProfile.exists() || !roleProfile.isFile()) {
-      // System may crush before a newer file is written, so search for 
back-up file.
-      File backProfile =
+            entityDirPath + File.separator + entityName + suffix + 
IoTDBConstant.PROFILE_SUFFIX);
+    if (!userProfile.exists() || !userProfile.isFile()) {
+      // System may crush before a newer file is renamed.
+      File newProfile =
           SystemFileFactory.INSTANCE.getFile(
-              roleDirPath + File.separator + rolename + 
IoTDBConstant.PROFILE_SUFFIX + TEMP_SUFFIX);
-      if (backProfile.exists() && backProfile.isFile()) {
-        roleProfile = backProfile;
+              entityDirPath
+                  + File.separator
+                  + entityName
+                  + suffix
+                  + IoTDBConstant.PROFILE_SUFFIX
+                  + TEMP_SUFFIX);
+      if (newProfile.exists() && newProfile.isFile()) {
+        if (!newProfile.renameTo(userProfile)) {
+          LOGGER.error("New profile renaming not succeed.");
+        }
+        userProfile = newProfile;
       } else {
         return null;
       }
     }
-    FileInputStream inputStream = new FileInputStream(roleProfile);
+    return userProfile;
+  }
+
+  @Override
+  public Role loadEntity(String entityName) throws IOException {

Review Comment:
   Seemingly the compatibility code has gone...



##########
iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/execution/operator/source/relational/InformationSchemaContentSupplierFactory.java:
##########
@@ -341,8 +341,11 @@ public boolean hasNext() {
   private static boolean canShowDB(final String userName, final String dbName) 
{
     try {
       
Coordinator.getInstance().getAccessControl().checkCanShowOrUseDatabase(userName,
 dbName);
-    } catch (final AccessControlException e) {
-      return false;
+    } catch (final RuntimeException e) {

Review Comment:
   This is changed in PR #14680



##########
iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/execution/config/TableConfigTaskVisitor.java:
##########
@@ -319,8 +321,11 @@ protected IConfigTask visitShowDB(final ShowDB node, final 
MPPQueryContext conte
             accessControl.checkCanShowOrUseDatabase(
                 context.getSession().getUserName(), databaseName);
             return true;
-          } catch (final AccessControlException e) {
-            return false;
+          } catch (final RuntimeException e) {

Review Comment:
   Use accessDeniedException



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to