This is an automated email from the ASF dual-hosted git repository.
kxiao pushed a commit to branch branch-2.0
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/branch-2.0 by this push:
new 93bac916630 [enhancement](priv) Clarify ccr releated
FrontendServiceImpl call privs (#25530) (#25779)
93bac916630 is described below
commit 93bac916630d4f34fae899c7dd2ade5a5a039368
Author: Jack Drogon <jack.xsuper...@gmail.com>
AuthorDate: Mon Oct 23 23:32:30 2023 +0800
[enhancement](priv) Clarify ccr releated FrontendServiceImpl call privs
(#25530) (#25779)
---
.../apache/doris/service/FrontendServiceImpl.java | 94 +++++++++++++---------
1 file changed, 58 insertions(+), 36 deletions(-)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java
b/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java
index 8db840b5bf3..791835bb7fa 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java
@@ -493,7 +493,7 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
// index id -> index schema
Map<Long, LinkedList<Column>> indexSchemaMap = new
HashMap<>();
- //index id -> index col_unique_id supplier
+ // index id -> index col_unique_id supplier
Map<Long, IntSupplier> colUniqueIdSupplierMap = new
HashMap<>();
for (Map.Entry<Long, List<Column>> entry :
olapTable.getIndexIdToSchema(true).entrySet()) {
indexSchemaMap.put(entry.getKey(), new
LinkedList<>(entry.getValue()));
@@ -512,13 +512,13 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
}
colUniqueIdSupplierMap.put(entry.getKey(),
colUniqueIdSupplier);
}
- //4. call schame change function, only for dynamic table
feature.
+ // 4. call schame change function, only for dynamic table
feature.
SchemaChangeHandler schemaChangeHandler = new
SchemaChangeHandler();
boolean lightSchemaChange =
schemaChangeHandler.processAddColumns(
addColumnsClause, olapTable, indexSchemaMap, true,
colUniqueIdSupplierMap);
if (lightSchemaChange) {
- //for schema change add column optimize, direct modify
table meta.
+ // for schema change add column optimize, direct
modify table meta.
List<Index> newIndexes = olapTable.getCopiedIndexes();
long jobId = Env.getCurrentEnv().getNextId();
Env.getCurrentEnv().getSchemaChangeHandler().modifyTableLightSchemaChange(
@@ -530,7 +530,7 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
}
}
- //5. build all columns
+ // 5. build all columns
for (Column column : olapTable.getBaseSchema()) {
allColumns.add(column.toThrift());
}
@@ -724,7 +724,7 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
if (params.isSetPattern()) {
try {
matcher =
PatternMatcher.createMysqlPattern(params.getPattern(),
- CaseSensibility.TABLE.getCaseSensibility());
+ CaseSensibility.TABLE.getCaseSensibility());
} catch (PatternMatcherException e) {
throw new TException("Pattern is in bad format " +
params.getPattern());
}
@@ -1063,13 +1063,18 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
return tableNames;
}
- private void checkPasswordAndPrivs(String cluster, String user, String
passwd, String db, String tbl,
- String clientIp, PrivPredicate
predicate) throws AuthenticationException {
+ private void checkSingleTablePasswordAndPrivs(String cluster, String user,
String passwd, String db, String tbl,
+ String clientIp, PrivPredicate predicate) throws
AuthenticationException {
checkPasswordAndPrivs(cluster, user, passwd, db,
Lists.newArrayList(tbl), clientIp, predicate);
}
+ private void checkDbPasswordAndPrivs(String cluster, String user, String
passwd, String db, String clientIp,
+ PrivPredicate predicate) throws AuthenticationException {
+ checkPasswordAndPrivs(cluster, user, passwd, db, null, clientIp,
predicate);
+ }
+
private void checkPasswordAndPrivs(String cluster, String user, String
passwd, String db, List<String> tables,
- String clientIp, PrivPredicate
predicate) throws AuthenticationException {
+ String clientIp, PrivPredicate predicate) throws
AuthenticationException {
final String fullUserName = ClusterNamespace.getFullName(cluster,
user);
final String fullDbName = ClusterNamespace.getFullName(cluster, db);
@@ -1077,10 +1082,20 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
Env.getCurrentEnv().getAuth().checkPlainPassword(fullUserName,
clientIp, passwd, currentUser);
Preconditions.checkState(currentUser.size() == 1);
+ if (tables == null || tables.isEmpty()) {
+ if
(!Env.getCurrentEnv().getAccessManager().checkDbPriv(currentUser.get(0),
fullDbName, predicate)) {
+ throw new AuthenticationException(
+ "Access denied; you need (at least one of) the (" +
predicate.toString()
+ + ") privilege(s) for this operation");
+ }
+ return;
+ }
+
for (String tbl : tables) {
if
(!Env.getCurrentEnv().getAccessManager().checkTblPriv(currentUser.get(0),
fullDbName, tbl, predicate)) {
throw new AuthenticationException(
- "Access denied; you need (at least one of) the LOAD
privilege(s) for this operation");
+ "Access denied; you need (at least one of) the (" +
predicate.toString()
+ + ") privilege(s) for this operation");
}
}
}
@@ -1149,9 +1164,11 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
if (Strings.isNullOrEmpty(cluster)) {
cluster = SystemInfoService.DEFAULT_CLUSTER;
}
-
- if (Strings.isNullOrEmpty(request.getToken())) {
- checkPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(), request.getTbl(),
+ if (request.isSetAuthCode()) {
+ // TODO(cmy): find a way to check
+ } else if (Strings.isNullOrEmpty(request.getToken())) {
+ checkSingleTablePasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
+ request.getTbl(),
request.getUserIp(), PrivPredicate.LOAD);
}
@@ -1325,7 +1342,7 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
private List<Table> queryLoadCommitTables(TLoadTxnCommitRequest request,
Database db) throws UserException {
List<String> tbNames;
- //check has multi table
+ // check has multi table
if (CollectionUtils.isNotEmpty(request.getTbls())) {
tbNames = request.getTbls();
@@ -1337,7 +1354,7 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
OlapTable table = (OlapTable) db.getTableOrMetaException(tbl,
TableType.OLAP);
tables.add(table);
}
- //if it has multi table, use multi table and update multi table
running transaction table ids
+ // if it has multi table, use multi table and update multi table
running transaction table ids
if (CollectionUtils.isNotEmpty(request.getTbls())) {
List<Long> multiTableIds =
tables.stream().map(Table::getId).collect(Collectors.toList());
Env.getCurrentGlobalTransactionMgr().getDatabaseTransactionMgr(db.getId())
@@ -1361,11 +1378,12 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
// refactoring it
if (CollectionUtils.isNotEmpty(request.getTbls())) {
for (String tbl : request.getTbls()) {
- checkPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(), tbl,
+ checkSingleTablePasswordAndPrivs(cluster,
request.getUser(), request.getPasswd(), request.getDb(),
+ tbl,
request.getUserIp(), PrivPredicate.LOAD);
}
} else {
- checkPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
+ checkSingleTablePasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
request.getTbl(),
request.getUserIp(), PrivPredicate.LOAD);
}
@@ -1465,7 +1483,8 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
}
for (Table table : tableList) {
// check auth
- checkPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(), table.getName(),
+ checkSingleTablePasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
+ table.getName(),
request.getUserIp(), PrivPredicate.LOAD);
}
@@ -1533,7 +1552,7 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
checkPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
request.getTbls(), request.getUserIp(),
PrivPredicate.LOAD);
} else {
- checkPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
+ checkSingleTablePasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
request.getTbl(), request.getUserIp(),
PrivPredicate.LOAD);
}
}
@@ -1718,14 +1737,15 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
} else if (request.isSetToken()) {
checkToken(request.getToken());
} else {
- //multi table load
+ // multi table load
if (CollectionUtils.isNotEmpty(request.getTbls())) {
for (String tbl : request.getTbls()) {
- checkPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(), tbl,
+ checkSingleTablePasswordAndPrivs(cluster,
request.getUser(), request.getPasswd(), request.getDb(),
+ tbl,
request.getUserIp(), PrivPredicate.LOAD);
}
} else {
- checkPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
+ checkSingleTablePasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
request.getTbl(),
request.getUserIp(), PrivPredicate.LOAD);
}
@@ -2013,15 +2033,15 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
}
private TExecPlanFragmentParams
generatePlanFragmentParams(TStreamLoadPutRequest request, Database db,
- String
fullDbName, OlapTable table,
- long timeoutMs)
throws UserException {
+ String fullDbName, OlapTable table,
+ long timeoutMs) throws UserException {
return generatePlanFragmentParams(request, db, fullDbName, table,
timeoutMs, 1, false);
}
private TExecPlanFragmentParams
generatePlanFragmentParams(TStreamLoadPutRequest request, Database db,
- String
fullDbName, OlapTable table,
- long timeoutMs,
int multiTableFragmentInstanceIdIndex,
- boolean
isMultiTableRequest)
+ String fullDbName, OlapTable table,
+ long timeoutMs, int multiTableFragmentInstanceIdIndex,
+ boolean isMultiTableRequest)
throws UserException {
if (!table.tryReadLock(timeoutMs, TimeUnit.MILLISECONDS)) {
throw new UserException(
@@ -2070,10 +2090,10 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
}
private TPipelineFragmentParams
generatePipelineStreamLoadPut(TStreamLoadPutRequest request, Database db,
- String
fullDbName, OlapTable table,
- long
timeoutMs,
- int
multiTableFragmentInstanceIdIndex,
- boolean
isMultiTableRequest)
+ String fullDbName, OlapTable table,
+ long timeoutMs,
+ int multiTableFragmentInstanceIdIndex,
+ boolean isMultiTableRequest)
throws UserException {
if (db == null) {
String dbName = fullDbName;
@@ -2584,7 +2604,8 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
cluster = SystemInfoService.DEFAULT_CLUSTER;
}
if (Strings.isNullOrEmpty(request.getToken())) {
- checkPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(), request.getTable(),
+ checkSingleTablePasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
+ request.getTable(),
request.getUserIp(), PrivPredicate.SELECT);
}
@@ -2705,8 +2726,8 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
request.getUser(), request.getDb(), request.getLabelName(),
request.getSnapshotName(),
request.getSnapshotType());
if (Strings.isNullOrEmpty(request.getToken())) {
- checkPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
- request.getTable(), clientIp, PrivPredicate.LOAD);
+ checkSingleTablePasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
+ request.getTable(), clientIp, PrivPredicate.SELECT);
}
// Step 3: get snapshot
@@ -2793,8 +2814,8 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
}
if (Strings.isNullOrEmpty(request.getToken())) {
- checkPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
- request.getTable(), clientIp, PrivPredicate.LOAD);
+ checkDbPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(), clientIp,
+ PrivPredicate.LOAD);
}
// Step 3: get snapshot
@@ -2927,7 +2948,8 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
cluster = SystemInfoService.DEFAULT_CLUSTER;
}
if (Strings.isNullOrEmpty(request.getToken())) {
- checkPasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(), request.getTable(),
+ checkSingleTablePasswordAndPrivs(cluster, request.getUser(),
request.getPasswd(), request.getDb(),
+ request.getTable(),
request.getUserIp(), PrivPredicate.SELECT);
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org
