(doris) branch branch-2.1 updated: [fix](auth)Fix some issues with incorrect permission verification (#3… (#40410)

yiguolei Sun, 08 Sep 2024 20:05:02 -0700

This is an automated email from the ASF dual-hosted git repository.

yiguolei pushed a commit to branch branch-2.1
in repository https://gitbox.apache.org/repos/asf/doris.git



The following commit(s) were added to refs/heads/branch-2.1 by this push:
     new 93a2518d12e [fix](auth)Fix some issues with incorrect permission 
verification (#3… (#40410)
93a2518d12e is described below

commit 93a2518d12efe15312825002ac144840be951317
Author: zhangdong <493738...@qq.com>
AuthorDate: Mon Sep 9 11:04:49 2024 +0800

    [fix](auth)Fix some issues with incorrect permission verification (#3… 
(#40410)
    
    …9726)
    
    pick: https://github.com/apache/doris/pull/39726
---
 .../main/java/org/apache/doris/analysis/ShowColumnStmt.java   | 11 +++++++++++
 .../src/main/java/org/apache/doris/analysis/ShowDataStmt.java |  2 +-
 .../main/java/org/apache/doris/analysis/ShowSyncJobStmt.java  |  9 +++++++++
 .../apache/doris/analysis/ShowTabletStorageFormatStmt.java    |  6 ++----
 .../src/main/java/org/apache/doris/qe/ConnectScheduler.java   |  2 +-
 5 files changed, 24 insertions(+), 6 deletions(-)

diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowColumnStmt.java 
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowColumnStmt.java
index eb7fcaf0285..9af269104cc 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowColumnStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowColumnStmt.java
@@ -18,9 +18,14 @@
 package org.apache.doris.analysis;
 
 import org.apache.doris.catalog.Column;
+import org.apache.doris.catalog.Env;
 import org.apache.doris.catalog.InfoSchemaDb;
 import org.apache.doris.catalog.ScalarType;
 import org.apache.doris.common.AnalysisException;
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.common.ErrorReport;
+import org.apache.doris.mysql.privilege.PrivPredicate;
+import org.apache.doris.qe.ConnectContext;
 import org.apache.doris.qe.ShowResultSetMetaData;
 
 import com.google.common.base.Strings;
@@ -103,6 +108,12 @@ public class ShowColumnStmt extends ShowStmt {
         } else {
             metaData = META_DATA;
         }
+        if (!Env.getCurrentEnv().getAccessManager()
+                .checkTblPriv(ConnectContext.get(), tableName.getCtl(), 
tableName.getDb(),
+                        tableName.getTbl(), PrivPredicate.SHOW)) {
+            
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
+                    PrivPredicate.SHOW.getPrivs().toString(), tableName);
+        }
     }
 
     @Override
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java 
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java
index dd2053750ba..799fa68bcf7 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java
@@ -115,7 +115,7 @@ public class ShowDataStmt extends ShowStmt {
     public void analyze(Analyzer analyzer) throws UserException {
         super.analyze(analyzer);
         dbName = analyzer.getDefaultDb();
-        if (Strings.isNullOrEmpty(dbName)) {
+        if (Strings.isNullOrEmpty(dbName) && tableName == null) {
             getAllDbStats();
             return;
         }
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSyncJobStmt.java 
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSyncJobStmt.java
index 25980ea16a8..f0671f8afe0 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSyncJobStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSyncJobStmt.java
@@ -18,10 +18,14 @@
 package org.apache.doris.analysis;
 
 import org.apache.doris.catalog.Column;
+import org.apache.doris.catalog.Env;
 import org.apache.doris.catalog.ScalarType;
 import org.apache.doris.common.ErrorCode;
 import org.apache.doris.common.ErrorReport;
 import org.apache.doris.common.UserException;
+import org.apache.doris.datasource.InternalCatalog;
+import org.apache.doris.mysql.privilege.PrivPredicate;
+import org.apache.doris.qe.ConnectContext;
 import org.apache.doris.qe.ShowResultSetMetaData;
 
 import com.google.common.base.Strings;
@@ -60,6 +64,11 @@ public class ShowSyncJobStmt extends ShowStmt {
                 ErrorReport.reportAnalysisException(ErrorCode.ERR_NO_DB_ERROR);
             }
         }
+        if (!Env.getCurrentEnv().getAccessManager()
+                .checkDbPriv(ConnectContext.get(), 
InternalCatalog.INTERNAL_CATALOG_NAME, dbName, PrivPredicate.SHOW)) {
+            
ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR,
+                    PrivPredicate.SHOW.getPrivs().toString(), dbName);
+        }
     }
 
     @Override
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletStorageFormatStmt.java
 
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletStorageFormatStmt.java
index 441f0f1d7d5..9d0f3b88e6c 100644
--- 
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletStorageFormatStmt.java
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletStorageFormatStmt.java
@@ -38,10 +38,8 @@ public class ShowTabletStorageFormatStmt extends ShowStmt {
     public void analyze(Analyzer analyzer) throws UserException {
         // check access first
         if 
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), 
PrivPredicate.ADMIN)) {
-            
ErrorReport.reportAnalysisException(ErrorCode.ERR_ACCESS_DENIED_ERROR,
-                    toSql(),
-                    ConnectContext.get().getQualifiedUser(),
-                    ConnectContext.get().getRemoteIP(), "ADMIN Privilege 
needed.");
+            
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
+                    PrivPredicate.ADMIN.getPrivs().toString());
         }
 
         super.analyze(analyzer);
diff --git a/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectScheduler.java 
b/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectScheduler.java
index 31a55649b50..db60ac84b63 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectScheduler.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectScheduler.java
@@ -163,7 +163,7 @@ public class ConnectScheduler {
         for (ConnectContext ctx : connectionMap.values()) {
             // Check auth
             if (!ctx.getQualifiedUser().equals(user) && 
!Env.getCurrentEnv().getAccessManager()
-                    .checkGlobalPriv(ConnectContext.get(), 
PrivPredicate.GRANT)) {
+                    .checkGlobalPriv(ConnectContext.get(), 
PrivPredicate.ADMIN)) {
                 continue;
             }
 


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org

(doris) branch branch-2.1 updated: [fix](auth)Fix some issues with incorrect permission verification (#3… (#40410)

Reply via email to