This is an automated email from the ASF dual-hosted git repository.
morningman pushed a commit to branch branch-2.0
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/branch-2.0 by this push:
new b518a6ab46 [branch2.0][improvement](auth)select priv for Nereids
(#22019)
b518a6ab46 is described below
commit b518a6ab46786a2941860cb9aca063bb9af2863b
Author: zhangdong <493738...@qq.com>
AuthorDate: Thu Jul 20 23:48:10 2023 +0800
[branch2.0][improvement](auth)select priv for Nereids (#22019)
New optimizer select permission supports catalog
Only for branch 2.0
---
.../nereids/rules/analysis/UserAuthentication.java | 38 +++++++++-------------
1 file changed, 15 insertions(+), 23 deletions(-)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/analysis/UserAuthentication.java
b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/analysis/UserAuthentication.java
index b88108cbc9..04723a1e9c 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/analysis/UserAuthentication.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/analysis/UserAuthentication.java
@@ -17,29 +17,20 @@
package org.apache.doris.nereids.rules.analysis;
+import org.apache.doris.catalog.TableIf;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.nereids.exceptions.AnalysisException;
import org.apache.doris.nereids.rules.Rule;
import org.apache.doris.nereids.rules.RuleType;
import org.apache.doris.nereids.trees.plans.Plan;
-import org.apache.doris.nereids.trees.plans.logical.LogicalEsScan;
-import org.apache.doris.nereids.trees.plans.logical.LogicalFileScan;
-import org.apache.doris.nereids.trees.plans.logical.LogicalOlapScan;
import org.apache.doris.nereids.trees.plans.logical.LogicalRelation;
-import org.apache.doris.nereids.trees.plans.logical.LogicalSchemaScan;
import org.apache.doris.qe.ConnectContext;
-import com.google.common.collect.Sets;
-
-import java.util.Set;
-
/**
* Check whether a user is permitted to scan specific tables.
*/
public class UserAuthentication extends OneAnalysisRuleFactory {
- Set<Class<?>> relationsToCheck = Sets.newHashSet(LogicalOlapScan.class,
LogicalEsScan.class,
- LogicalFileScan.class, LogicalSchemaScan.class);
@Override
public Rule build() {
@@ -53,20 +44,21 @@ public class UserAuthentication extends
OneAnalysisRuleFactory {
if (connectContext.getSessionVariable().isPlayNereidsDump()) {
return relation;
}
-
- if (relationsToCheck.contains(relation.getClass())) {
- String dbName =
- !relation.getQualifier().isEmpty() ?
relation.getQualifier().get(0) : null;
- String tableName = relation.getTable().getName();
- if
(!connectContext.getEnv().getAccessManager().checkTblPriv(connectContext,
dbName,
- tableName, PrivPredicate.SELECT)) {
- String message =
ErrorCode.ERR_TABLEACCESS_DENIED_ERROR.formatErrorMsg("SELECT",
- ConnectContext.get().getQualifiedUser(),
ConnectContext.get().getRemoteIP(),
- dbName + ": " + tableName);
- throw new AnalysisException(message);
- }
+ TableIf table = relation.getTable();
+ if (table == null) {
+ return relation;
+ }
+ String tableName = table.getName();
+ String dbName = table.getDatabase().getFullName();
+ String ctlName = table.getDatabase().getCatalog().getName();
+ // TODO: 2023/7/19 checkColumnsPriv
+ if
(!connectContext.getEnv().getAccessManager().checkTblPriv(connectContext,
ctlName, dbName,
+ tableName, PrivPredicate.SELECT)) {
+ String message =
ErrorCode.ERR_TABLEACCESS_DENIED_ERROR.formatErrorMsg("SELECT",
+ ConnectContext.get().getQualifiedUser(),
ConnectContext.get().getRemoteIP(),
+ ctlName + ": " + dbName + ": " + tableName);
+ throw new AnalysisException(message);
}
-
return relation;
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org
