(doris) branch branch-2.0 updated: [fix](auth) ordinary users can see the processes of other users (#39747) (#40417)

Mon, 09 Sep 2024 04:18:47 -0700 

This is an automated email from the ASF dual-hosted git repository.

morrysnow pushed a commit to branch branch-2.0
in repository https://gitbox.apache.org/repos/asf/doris.git


The following commit(s) were added to refs/heads/branch-2.0 by this push:
     new 921901ac454 [fix](auth) ordinary users can see the processes of other 
users (#39747) (#40417)
921901ac454 is described below

commit 921901ac454dbef2a41dc3fd34a6b8a60d23833b
Author: zhangdong <493738...@qq.com>
AuthorDate: Mon Sep 9 19:18:22 2024 +0800

    [fix](auth) ordinary users can see the processes of other users (#39747) 
(#40417)
    
    pick from master #39747
---
 .../src/main/java/org/apache/doris/qe/ConnectScheduler.java    | 10 +++++++++-
 fe/fe-core/src/main/java/org/apache/doris/qe/ShowExecutor.java |  1 +
 .../java/org/apache/doris/service/FrontendServiceImpl.java     |  6 +++++-
 gensrc/thrift/FrontendService.thrift                           |  1 +
 4 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectScheduler.java 
b/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectScheduler.java
index 4000ac7b1d4..da3fc49aaf7 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectScheduler.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectScheduler.java
@@ -17,6 +17,7 @@
 
 package org.apache.doris.qe;
 
+import org.apache.doris.analysis.UserIdentity;
 import org.apache.doris.catalog.Env;
 import org.apache.doris.common.Config;
 import org.apache.doris.common.ThreadPoolManager;
@@ -161,10 +162,17 @@ public class ConnectScheduler {
     }
 
     // used for thrift
-    public List<List<String>> listConnectionWithoutAuth(boolean isShowFullSql, 
boolean isShowFeHost) {
+    public List<List<String>> listConnectionForRpc(UserIdentity userIdentity, 
boolean isShowFullSql,
+            boolean isShowFeHost) {
         List<List<String>> list = new ArrayList<>();
         long nowMs = System.currentTimeMillis();
         for (ConnectContext ctx : connectionMap.values()) {
+            // Check auth
+            if (!ctx.getCurrentUserIdentity().equals(userIdentity) && 
!Env.getCurrentEnv()
+                    .getAccessManager()
+                    .checkGlobalPriv(userIdentity, PrivPredicate.GRANT)) {
+                continue;
+            }
             list.add(ctx.toThreadInfo(isShowFullSql).toRow(-1, nowMs, 
isShowFeHost));
         }
         return list;
diff --git a/fe/fe-core/src/main/java/org/apache/doris/qe/ShowExecutor.java 
b/fe/fe-core/src/main/java/org/apache/doris/qe/ShowExecutor.java
index 40445cc9a21..69c92d0f166 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/qe/ShowExecutor.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/qe/ShowExecutor.java
@@ -482,6 +482,7 @@ public class ShowExecutor {
             try {
                 TShowProcessListRequest request = new 
TShowProcessListRequest();
                 request.setShowFullSql(isShowFullSql);
+                
request.setCurrentUserIdent(ConnectContext.get().getCurrentUserIdentity().toThrift());
                 List<Pair<String, Integer>> frontends = 
FrontendsProcNode.getFrontendWithRpcPort(Env.getCurrentEnv(),
                         false);
                 FrontendService.Client client = null;
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java 
b/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java
index cbbd49f69a8..7f81104d943 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java
@@ -3316,8 +3316,12 @@ public class FrontendServiceImpl implements 
FrontendService.Iface {
         if (request.isSetShowFullSql()) {
             isShowFullSql = request.isShowFullSql();
         }
+        UserIdentity userIdentity = UserIdentity.ROOT;
+        if (request.isSetCurrentUserIdent()) {
+            userIdentity = 
UserIdentity.fromThrift(request.getCurrentUserIdent());
+        }
         List<List<String>> processList = 
ExecuteEnv.getInstance().getScheduler()
-                .listConnectionWithoutAuth(isShowFullSql, true);
+                .listConnectionForRpc(userIdentity, isShowFullSql, true);
         TShowProcessListResult result = new TShowProcessListResult();
         result.setProcessList(processList);
         return result;
diff --git a/gensrc/thrift/FrontendService.thrift 
b/gensrc/thrift/FrontendService.thrift
index a67bb59b80e..69aa37964dc 100644
--- a/gensrc/thrift/FrontendService.thrift
+++ b/gensrc/thrift/FrontendService.thrift
@@ -1254,6 +1254,7 @@ struct TGetBackendMetaResult {
 
 struct TShowProcessListRequest {
     1: optional bool show_full_sql
+    2: optional Types.TUserIdentity current_user_ident
 }
 
 struct TShowProcessListResult {


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org

Reply via email to