This is an automated email from the ASF dual-hosted git repository.
morrysnow pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new d91a7adb142 [enhance](auth)modify priv of refresh catalog/db/table
(#39008)
d91a7adb142 is described below
commit d91a7adb1422c2d067c5f4b0f170734f9eb22398
Author: zhangdong <493738...@qq.com>
AuthorDate: Mon Aug 12 11:35:22 2024 +0800
[enhance](auth)modify priv of refresh catalog/db/table (#39008)
change priv of refresh catalog/db/table to `PrivPredicate.SHOW`
---
.../java/org/apache/doris/analysis/RefreshCatalogStmt.java | 6 +++---
.../main/java/org/apache/doris/analysis/RefreshDbStmt.java | 11 +++--------
.../main/java/org/apache/doris/analysis/RefreshTableStmt.java | 11 +++--------
.../src/main/java/org/apache/doris/common/ErrorCode.java | 2 ++
.../src/test/java/org/apache/doris/catalog/RefreshDbTest.java | 8 ++------
.../test/java/org/apache/doris/catalog/RefreshTableTest.java | 6 +-----
6 files changed, 14 insertions(+), 30 deletions(-)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshCatalogStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshCatalogStmt.java
index 060807b7919..7f72a25b7b7 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshCatalogStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshCatalogStmt.java
@@ -67,9 +67,9 @@ public class RefreshCatalogStmt extends DdlStmt {
}
if (!Env.getCurrentEnv().getAccessManager().checkCtlPriv(
- ConnectContext.get(), catalogName, PrivPredicate.ALTER)) {
-
ErrorReport.reportAnalysisException(ErrorCode.ERR_CATALOG_ACCESS_DENIED,
- analyzer.getQualifiedUser(), catalogName);
+ ConnectContext.get(), catalogName, PrivPredicate.SHOW)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_CATALOG_ACCESS_DENIED_ERROR,
+ PrivPredicate.SHOW.getPrivs().toString(), catalogName);
}
// Set to false only if user set the property "invalid_cache"="false"
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshDbStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshDbStmt.java
index 091d55eafe0..69b312455a0 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshDbStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshDbStmt.java
@@ -87,14 +87,9 @@ public class RefreshDbStmt extends DdlStmt {
}
// check access
if
(!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(),
catalogName,
- dbName, PrivPredicate.DROP)) {
-
ErrorReport.reportAnalysisException(ErrorCode.ERR_DBACCESS_DENIED_ERROR,
- ConnectContext.get().getQualifiedUser(), dbName);
- }
- if
(!Env.getCurrentEnv().getAccessManager().checkDbPriv(ConnectContext.get(),
catalogName,
- dbName, PrivPredicate.CREATE)) {
- ErrorReport.reportAnalysisException(
- ErrorCode.ERR_DBACCESS_DENIED_ERROR,
analyzer.getQualifiedUser(), dbName);
+ dbName, PrivPredicate.SHOW)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR,
+ PrivPredicate.SHOW.getPrivs().toString(), dbName);
}
String invalidConfig = properties == null ? null :
properties.get(INVALID_CACHE);
// Default is to invalid cache.
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshTableStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshTableStmt.java
index 9755e91dadf..7d872f70a94 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshTableStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/RefreshTableStmt.java
@@ -60,14 +60,9 @@ public class RefreshTableStmt extends DdlStmt {
// check access
if
(!Env.getCurrentEnv().getAccessManager().checkTblPriv(ConnectContext.get(),
tableName.getCtl(), tableName.getDb(),
- tableName.getTbl(), PrivPredicate.DROP)) {
-
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
"DROP");
- }
-
- if
(!Env.getCurrentEnv().getAccessManager().checkTblPriv(ConnectContext.get(),
- tableName.getCtl(), tableName.getDb(),
- tableName.getTbl(), PrivPredicate.CREATE)) {
-
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
"CREATE");
+ tableName.getTbl(), PrivPredicate.SHOW)) {
+
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
+ PrivPredicate.SHOW.getPrivs().toString(),
tableName.getTbl());
}
}
diff --git a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java
b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java
index 6b12532b2e6..c65116dcc83 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java
@@ -75,6 +75,8 @@ public enum ErrorCode {
+ "(current value: %d)"),
ERR_SPECIFIC_ACCESS_DENIED_ERROR(1227, new byte[]{'4', '2', '0', '0',
'0'}, "Access denied; you need (at least "
+ "one of) the (%s) privilege(s) for this operation"),
+ ERR_CATALOG_ACCESS_DENIED_ERROR(1221, new byte[]{'4', '2', '0', '0', '0'},
"Access denied; you need (at least "
+ + "one of) the (%s) privilege(s) on catalog %s for this
operation"),
ERR_DB_ACCESS_DENIED_ERROR(1225, new byte[]{'4', '2', '0', '0', '0'},
"Access denied; you need (at least "
+ "one of) the (%s) privilege(s) on database %s for this
operation"),
diff --git
a/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshDbTest.java
b/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshDbTest.java
index fd7a6b1a24b..a18c41edc92 100644
--- a/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshDbTest.java
+++ b/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshDbTest.java
@@ -120,23 +120,19 @@ public class RefreshDbTest extends TestWithFeService {
// create user1
auth.createUser((CreateUserStmt) parseAndAnalyzeStmt(
"create user 'user1'@'%' identified by 'pwd1';", rootCtx));
- // grant only create_priv to user1 on test1.db1.tbl11
- GrantStmt grantStmt = (GrantStmt) parseAndAnalyzeStmt(
- "grant create_priv on test1.db1.* to 'user1'@'%';", rootCtx);
- auth.grant(grantStmt);
// mock login user1
UserIdentity user1 = new UserIdentity("user1", "%");
user1.analyze();
ConnectContext user1Ctx = createCtx(user1, "127.0.0.1");
ExceptionChecker.expectThrowsWithMsg(AnalysisException.class,
- "Access denied for user 'user1' to database 'db1'",
+ "Access denied",
() -> parseAndAnalyzeStmt("refresh database test1.db1",
user1Ctx));
ConnectContext.remove();
// add drop priv to user1
rootCtx.setThreadLocalInfo();
- grantStmt = (GrantStmt) parseAndAnalyzeStmt(
+ GrantStmt grantStmt = (GrantStmt) parseAndAnalyzeStmt(
"grant drop_priv on test1.db1.* to 'user1'@'%';", rootCtx);
auth.grant(grantStmt);
ConnectContext.remove();
diff --git
a/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java
b/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java
index aee15abd278..45878b6001e 100644
--- a/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java
+++ b/fe/fe-core/src/test/java/org/apache/doris/catalog/RefreshTableTest.java
@@ -128,10 +128,6 @@ public class RefreshTableTest extends TestWithFeService {
// create user1
auth.createUser((CreateUserStmt) parseAndAnalyzeStmt(
"create user 'user1'@'%' identified by 'pwd1';", rootCtx));
- // grant only create_priv to user1 on test1.db1.tbl11
- GrantStmt grantStmt = (GrantStmt) parseAndAnalyzeStmt(
- "grant create_priv on test1.db1.tbl11 to 'user1'@'%';",
rootCtx);
- auth.grant(grantStmt);
// mock login user1
UserIdentity user1 = new UserIdentity("user1", "%");
@@ -144,7 +140,7 @@ public class RefreshTableTest extends TestWithFeService {
// add drop priv to user1
rootCtx.setThreadLocalInfo();
- grantStmt = (GrantStmt) parseAndAnalyzeStmt(
+ GrantStmt grantStmt = (GrantStmt) parseAndAnalyzeStmt(
"grant drop_priv on test1.db1.tbl11 to 'user1'@'%';", rootCtx);
auth.grant(grantStmt);
ConnectContext.remove();
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org
