This is an automated email from the ASF dual-hosted git repository. morningman pushed a commit to branch branch-1.2-lts in repository https://gitbox.apache.org/repos/asf/doris.git
commit ceb9074b5ac2f83c0ee394ad33371719fe43192d Author: morningman <[email protected]> AuthorDate: Sat May 27 19:56:41 2023 +0800 [improvement](auth)only GRANT_PRIV and USAGE_PRIV can GRANT for RESOURCE #19547 --- .../src/main/java/org/apache/doris/common/Config.java | 2 +- .../main/java/org/apache/doris/analysis/GrantStmt.java | 15 ++++++--------- .../org/apache/doris/mysql/privilege/PaloPrivilege.java | 11 +++++++++++ 3 files changed, 18 insertions(+), 10 deletions(-) diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java index e493144d00..c17ef2a51c 100644 --- a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java +++ b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java @@ -1982,7 +1982,7 @@ public class Config extends ConfigBase { * If set to true, doris will try to parse the ddl of a hive view and try to execute the query * otherwise it will throw an AnalysisException. */ - @ConfField(mutable = true, expType = ExperimentalType.EXPERIMENTAL) + @ConfField(mutable = true) public static boolean enable_query_hive_views = false; /** diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java index d44f0f51d8..7a75ac640c 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java @@ -96,7 +96,7 @@ public class GrantStmt extends DdlStmt { } @Override - public void analyze(Analyzer analyzer) throws AnalysisException, UserException { + public void analyze(Analyzer analyzer) throws UserException { super.analyze(analyzer); if (userIdent != null) { userIdent.analyze(analyzer.getClusterName()); @@ -191,14 +191,11 @@ public class GrantStmt extends DdlStmt { public static void checkResourcePrivileges(List<PaloPrivilege> privileges, String role, ResourcePattern resourcePattern) throws AnalysisException { - // Rule 1 - if (privileges.contains(PaloPrivilege.NODE_PRIV)) { - throw new AnalysisException("Can not grant/revoke NODE_PRIV to/from any other users or roles"); - } - - // Rule 2 - if (resourcePattern.getPrivLevel() != PrivLevel.GLOBAL && privileges.contains(PaloPrivilege.ADMIN_PRIV)) { - throw new AnalysisException("ADMIN_PRIV privilege can only be granted/revoked on/from resource *"); + for (int i = 0; i < PaloPrivilege.notBelongToResourcePrivileges.length; i++) { + if (privileges.contains(PaloPrivilege.notBelongToResourcePrivileges[i])) { + throw new AnalysisException(String.format("Can not grant/revoke %s to/from any other users or roles", + PaloPrivilege.notBelongToResourcePrivileges[i])); + } } if (role != null) { diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PaloPrivilege.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PaloPrivilege.java index 7236165d63..019bffc768 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PaloPrivilege.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PaloPrivilege.java @@ -44,6 +44,17 @@ public enum PaloPrivilege { USAGE_PRIV }; + // only GRANT_PRIV and USAGE_PRIV can grant on resource + public static PaloPrivilege[] notBelongToResourcePrivileges = { + NODE_PRIV, + ADMIN_PRIV, + SELECT_PRIV, + LOAD_PRIV, + ALTER_PRIV, + CREATE_PRIV, + DROP_PRIV + }; + public static Map<PaloPrivilege, String> privInPaloToMysql = ImmutableMap.<PaloPrivilege, String>builder() // No NODE_PRIV and ADMIN_PRIV in the mysql .put(SELECT_PRIV, "SELECT") --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
