This is an automated email from the ASF dual-hosted git repository.
yiguolei pushed a commit to branch branch-2.1
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/branch-2.1 by this push:
new 782973ee770 [fix](auth)Http api check auth (#40688) (#40865)
782973ee770 is described below
commit 782973ee770b4e84259b92e5755f2980bf02919a
Author: zhangdong <493738...@qq.com>
AuthorDate: Sun Sep 15 23:50:54 2024 +0800
[fix](auth)Http api check auth (#40688) (#40865)
pick: https://github.com/apache/doris/pull/40688
---
.../main/java/org/apache/doris/common/Config.java | 2 +-
.../apache/doris/httpv2/rest/MetaInfoAction.java | 1 +
.../org/apache/doris/httpv2/rest/ShowAction.java | 24 +++++-
.../doris/httpv2/restv2/MetaInfoActionV2.java | 25 +++---
.../doris/regression/action/HttpCliAction.groovy | 38 ++++++++-
.../auth_p0/test_http_meta_databases_auth.groovy | 58 ++++++++++++++
.../auth_p0/test_http_meta_tables_auth.groovy | 70 +++++++++++++++++
.../test_http_meta_tables_schema_auth.groovy | 69 ++++++++++++++++
.../auth_p0/test_http_table_count_auth.groovy | 69 ++++++++++++++++
.../auth_p0/test_http_table_data_auth.groovy | 91 ++++++++++++++++++++++
10 files changed, 429 insertions(+), 18 deletions(-)
diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
index b8cc93a4a5e..b9eefd839ea 100644
--- a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
+++ b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
@@ -321,7 +321,7 @@ public class Config extends ConfigBase {
+ "The connection is abandoned if the clock skew is larger
than this value."})
public static long max_bdbje_clock_delta_ms = 5000; // 5s
- @ConfField(description = {"是否启用所有 http 接口的认证",
+ @ConfField(mutable = true, description = {"是否启用所有 http 接口的认证",
"Whether to enable all http interface authentication"}, varType =
VariableAnnotation.EXPERIMENTAL)
public static boolean enable_all_http_auth = false;
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/MetaInfoAction.java
b/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/MetaInfoAction.java
index 1218736a2cb..14368c2869b 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/MetaInfoAction.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/MetaInfoAction.java
@@ -59,6 +59,7 @@ import javax.servlet.http.HttpServletResponse;
* And meta info like databases, tables and schema
*/
@RestController
+@Deprecated
public class MetaInfoAction extends RestBaseController {
private static final String NAMESPACES = "namespaces";
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/ShowAction.java
b/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/ShowAction.java
index 8d93a440b22..09ca16e6ad0 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/ShowAction.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/ShowAction.java
@@ -30,6 +30,7 @@ import org.apache.doris.common.Config;
import org.apache.doris.common.proc.ProcNodeInterface;
import org.apache.doris.common.proc.ProcResult;
import org.apache.doris.common.proc.ProcService;
+import org.apache.doris.datasource.InternalCatalog;
import org.apache.doris.ha.HAProtocol;
import org.apache.doris.httpv2.entity.ResponseEntityBuilder;
import org.apache.doris.mysql.privilege.PrivPredicate;
@@ -214,16 +215,23 @@ public class ShowAction extends RestBaseController {
public Object show_table_data(HttpServletRequest request,
HttpServletResponse response) {
if (Config.enable_all_http_auth) {
executeCheckPassword(request, response);
- checkGlobalAuth(ConnectContext.get().getCurrentUserIdentity(),
PrivPredicate.ADMIN);
}
-
String dbName = request.getParameter(DB_KEY);
String tableName = request.getParameter(TABLE_KEY);
+
+ if (StringUtils.isEmpty(dbName) && StringUtils.isEmpty(tableName)) {
+ return ResponseEntityBuilder.okWithCommonError("db and table
cannot be empty at the same time");
+ }
+
String singleReplica = request.getParameter(SINGLE_REPLICA_KEY);
boolean singleReplicaBool = Boolean.parseBoolean(singleReplica);
Map<String, Map<String, Long>> oneEntry = Maps.newHashMap();
if (dbName != null) {
String fullDbName = getFullDbName(dbName);
+ if (!StringUtils.isEmpty(tableName) &&
Config.enable_all_http_auth) {
+ checkTblAuth(ConnectContext.get().getCurrentUserIdentity(),
fullDbName, tableName, PrivPredicate.SHOW);
+ }
+
DatabaseIf db =
Env.getCurrentInternalCatalog().getDbNullable(fullDbName);
if (db == null) {
return ResponseEntityBuilder.okWithCommonError("database " +
fullDbName + " not found.");
@@ -236,6 +244,12 @@ public class ShowAction extends RestBaseController {
if (db == null || !(db instanceof Database) || ((Database) db)
instanceof MysqlCompatibleDatabase) {
continue;
}
+ if (Config.enable_all_http_auth &&
!Env.getCurrentEnv().getAccessManager()
+
.checkTblPriv(ConnectContext.get().getCurrentUserIdentity(),
+ InternalCatalog.INTERNAL_CATALOG_NAME,
db.getFullName(), tableName,
+ PrivPredicate.SHOW)) {
+ continue;
+ }
Map<String, Long> tablesEntry = getDataSizeOfTables(db,
tableName, singleReplicaBool);
oneEntry.put(ClusterNamespace.getNameFromFullName(db.getFullName()),
tablesEntry);
}
@@ -331,6 +345,12 @@ public class ShowAction extends RestBaseController {
if (Strings.isNullOrEmpty(tableName)) {
List<Table> tables = db.getTables();
for (Table table : tables) {
+ if (Config.enable_all_http_auth &&
!Env.getCurrentEnv().getAccessManager()
+ .checkTblPriv(ConnectContext.get(),
InternalCatalog.INTERNAL_CATALOG_NAME, db.getFullName(),
+ table.getName(),
+ PrivPredicate.SHOW)) {
+ continue;
+ }
Map<String, Long> tableEntry = getDataSizeOfTable(table,
singleReplica);
oneEntry.putAll(tableEntry);
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/httpv2/restv2/MetaInfoActionV2.java
b/fe/fe-core/src/main/java/org/apache/doris/httpv2/restv2/MetaInfoActionV2.java
index 13a247ba633..436d2611584 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/httpv2/restv2/MetaInfoActionV2.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/httpv2/restv2/MetaInfoActionV2.java
@@ -86,13 +86,14 @@ public class MetaInfoActionV2 extends RestBaseController {
HttpServletRequest request, HttpServletResponse response) {
checkWithCookie(request, response, false);
- if (!ns.equalsIgnoreCase(SystemInfoService.DEFAULT_CLUSTER)) {
- return ResponseEntityBuilder.badRequest("Only support
'default_cluster' now");
+ if (!ns.equalsIgnoreCase(SystemInfoService.DEFAULT_CLUSTER) &&
!ns.equalsIgnoreCase(
+ InternalCatalog.INTERNAL_CATALOG_NAME)) {
+ return ResponseEntityBuilder.badRequest("Only support
'default_cluster/internal' now");
}
// 1. get all database with privilege
List<String> dbNames = Env.getCurrentInternalCatalog().getDbNames();
- List<String> dbNameSet = Lists.newArrayList();
+ List<String> filteredDbNames = Lists.newArrayList();
for (String fullName : dbNames) {
final String db = ClusterNamespace.getNameFromFullName(fullName);
if (!Env.getCurrentEnv().getAccessManager()
@@ -100,14 +101,14 @@ public class MetaInfoActionV2 extends RestBaseController {
PrivPredicate.SHOW)) {
continue;
}
- dbNameSet.add(db);
+ filteredDbNames.add(db);
}
- Collections.sort(dbNames);
+ Collections.sort(filteredDbNames);
// handle limit offset
- Pair<Integer, Integer> fromToIndex = getFromToIndex(request,
dbNames.size());
- return ResponseEntityBuilder.ok(dbNames.subList(fromToIndex.first,
fromToIndex.second));
+ Pair<Integer, Integer> fromToIndex = getFromToIndex(request,
filteredDbNames.size());
+ return
ResponseEntityBuilder.ok(filteredDbNames.subList(fromToIndex.first,
fromToIndex.second));
}
/** Get all tables of a database
@@ -129,8 +130,9 @@ public class MetaInfoActionV2 extends RestBaseController {
HttpServletRequest request, HttpServletResponse response) {
checkWithCookie(request, response, false);
- if (!ns.equalsIgnoreCase(SystemInfoService.DEFAULT_CLUSTER)) {
- return ResponseEntityBuilder.badRequest("Only support
'default_cluster' now");
+ if (!ns.equalsIgnoreCase(SystemInfoService.DEFAULT_CLUSTER) &&
!ns.equalsIgnoreCase(
+ InternalCatalog.INTERNAL_CATALOG_NAME)) {
+ return ResponseEntityBuilder.badRequest("Only support
'default_cluster/internal' now");
}
String fullDbName = getFullDbName(dbName);
@@ -199,8 +201,9 @@ public class MetaInfoActionV2 extends RestBaseController {
HttpServletRequest request, HttpServletResponse response) throws
UserException {
checkWithCookie(request, response, false);
- if (!ns.equalsIgnoreCase(SystemInfoService.DEFAULT_CLUSTER)) {
- return ResponseEntityBuilder.badRequest("Only support
'default_cluster' now");
+ if (!ns.equalsIgnoreCase(SystemInfoService.DEFAULT_CLUSTER) &&
!ns.equalsIgnoreCase(
+ InternalCatalog.INTERNAL_CATALOG_NAME)) {
+ return ResponseEntityBuilder.badRequest("Only support
'default_cluster/internal' now");
}
String fullDbName = getFullDbName(dbName);
diff --git
a/regression-test/framework/src/main/groovy/org/apache/doris/regression/action/HttpCliAction.groovy
b/regression-test/framework/src/main/groovy/org/apache/doris/regression/action/HttpCliAction.groovy
index 8aaf7ef4883..366905b31f5 100644
---
a/regression-test/framework/src/main/groovy/org/apache/doris/regression/action/HttpCliAction.groovy
+++
b/regression-test/framework/src/main/groovy/org/apache/doris/regression/action/HttpCliAction.groovy
@@ -17,6 +17,7 @@
package org.apache.doris.regression.action
+import com.google.common.collect.Maps
import groovy.transform.stc.ClosureParams
import groovy.transform.stc.FromString
import groovy.util.logging.Slf4j
@@ -37,7 +38,9 @@ class HttpCliAction implements SuiteAction {
private String body
private String result
private String op
+ private Map<String, String> headers = Maps.newLinkedHashMap()
private Closure check
+ private boolean printResponse = true
SuiteContext context
HttpCliAction(SuiteContext context) {
@@ -60,6 +63,17 @@ class HttpCliAction implements SuiteAction {
this.uri = uri
}
+ void header(String key, String value) {
+ this.headers.put(key, value)
+ }
+
+ void basicAuthorization(String user, String password) {
+ String credentials = user + ":" + (password.is(null) ? "" : password)
+ String encodedCredentials =
Base64.getEncoder().encodeToString(credentials.getBytes())
+ String headerValue = "Basic " + encodedCredentials;
+ headers.put("Authorization", headerValue)
+ }
+
void body(Closure<String> bodySupplier) {
this.body = bodySupplier.call()
}
@@ -80,6 +94,10 @@ class HttpCliAction implements SuiteAction {
this.result = result
}
+ void printResponse(boolean printResponse) {
+ this.printResponse = printResponse
+ }
+
@Override
void run() {
try {
@@ -91,17 +109,25 @@ class HttpCliAction implements SuiteAction {
if (op == "get") {
HttpGet httpGet = new HttpGet(uri)
+ for (final def header in headers.entrySet()) {
+ httpGet.setHeader(header.getKey(), header.getValue())
+ }
client.execute(httpGet).withCloseable { resp ->
resp.withCloseable {
String respJson =
EntityUtils.toString(resp.getEntity())
def respCode = resp.getStatusLine().getStatusCode()
- log.info("respCode: ${respCode}, respJson:
${respJson}")
+ if (printResponse) {
+ log.info("respCode: ${respCode}, respJson:
${respJson}")
+ }
return new ActionResult(respCode, respJson)
}
}
} else {
HttpPost httpPost = new HttpPost(uri)
+ for (final def header in headers.entrySet()) {
+ httpPost.setHeader(header.getKey(), header.getValue())
+ }
StringEntity requestEntity = new StringEntity(
body,
ContentType.APPLICATION_JSON);
@@ -111,14 +137,18 @@ class HttpCliAction implements SuiteAction {
resp.withCloseable {
String respJson =
EntityUtils.toString(resp.getEntity())
def respCode = resp.getStatusLine().getStatusCode()
- log.info("respCode: ${respCode}, respJson:
${respJson}")
+ if (printResponse) {
+ log.info("respCode: ${respCode}, respJson:
${respJson}")
+ }
return new ActionResult(respCode, respJson)
}
}
}
}
- log.info("result:${result}".toString())
- log.info("this.result:${this.result}".toString())
+ if (printResponse) {
+ log.info("result:${result}".toString())
+ log.info("this.result:${this.result}".toString())
+ }
if (check != null) {
check.call(result.respCode, result.body)
} else {
diff --git
a/regression-test/suites/auth_p0/test_http_meta_databases_auth.groovy
b/regression-test/suites/auth_p0/test_http_meta_databases_auth.groovy
new file mode 100644
index 00000000000..c515b5c83ea
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_http_meta_databases_auth.groovy
@@ -0,0 +1,58 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_http_meta_databases_auth","p0,auth,nonConcurrent") {
+ String suiteName = "test_http_meta_databases_auth"
+ String dbName = context.config.getDbNameByFile(context.file)
+ String tableName = "${suiteName}_table"
+ String user = "${suiteName}_user"
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ try {
+ sql """ ADMIN SET ALL FRONTENDS CONFIG ("enable_all_http_auth" =
"true"); """
+ def getDatabases = { check_func ->
+ httpTest {
+ basicAuthorization "${user}","${pwd}"
+ endpoint "${context.config.feHttpAddress}"
+ uri "/rest/v2/api/meta/namespaces/default_cluster/databases"
+ op "get"
+ check check_func
+ }
+ }
+
+ getDatabases.call() {
+ respCode, body ->
+ log.info("body:${body}")
+ assertFalse("${body}".contains("${dbName}"))
+ }
+
+ sql """grant select_priv on ${dbName} to ${user}"""
+
+ getDatabases.call() {
+ respCode, body ->
+ log.info("body:${body}")
+ assertTrue("${body}".contains("${dbName}"))
+ }
+
+ try_sql("DROP USER ${user}")
+ } finally {
+ sql """ ADMIN SET ALL FRONTENDS CONFIG ("enable_all_http_auth" =
"false"); """
+ }
+}
diff --git a/regression-test/suites/auth_p0/test_http_meta_tables_auth.groovy
b/regression-test/suites/auth_p0/test_http_meta_tables_auth.groovy
new file mode 100644
index 00000000000..b2fd5914352
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_http_meta_tables_auth.groovy
@@ -0,0 +1,70 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_http_meta_tables_auth","p0,auth,nonConcurrent") {
+ String suiteName = "test_http_meta_tables_auth"
+ String dbName = context.config.getDbNameByFile(context.file)
+ String tableName = "${suiteName}_table"
+ String user = "${suiteName}_user"
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ sql """drop table if exists `${tableName}`"""
+ sql """
+ CREATE TABLE `${tableName}` (
+ `k1` int,
+ `k2` int
+ ) ENGINE=OLAP
+ DISTRIBUTED BY random BUCKETS auto
+ PROPERTIES ('replication_num' = '1') ;
+ """
+ try {
+ sql """ ADMIN SET ALL FRONTENDS CONFIG ("enable_all_http_auth" =
"true"); """
+ def getTables = { check_func ->
+ httpTest {
+ basicAuthorization "${user}","${pwd}"
+ endpoint "${context.config.feHttpAddress}"
+ uri
"/rest/v2/api/meta/namespaces/default_cluster/databases/${dbName}/tables"
+ op "get"
+ check check_func
+ }
+ }
+
+ getTables.call() {
+ respCode, body ->
+ log.info("body:${body}")
+ assertFalse("${body}".contains("${tableName}"))
+ }
+
+ sql """grant select_priv on ${dbName}.${tableName} to ${user}"""
+
+ getTables.call() {
+ respCode, body ->
+ log.info("body:${body}")
+ assertTrue("${body}".contains("${tableName}"))
+ }
+
+ sql """drop table if exists `${tableName}`"""
+ try_sql("DROP USER ${user}")
+ } finally {
+ sql """ ADMIN SET ALL FRONTENDS CONFIG ("enable_all_http_auth" =
"false"); """
+ }
+
+
+}
diff --git
a/regression-test/suites/auth_p0/test_http_meta_tables_schema_auth.groovy
b/regression-test/suites/auth_p0/test_http_meta_tables_schema_auth.groovy
new file mode 100644
index 00000000000..f03d5a55bd3
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_http_meta_tables_schema_auth.groovy
@@ -0,0 +1,69 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_http_meta_tables_schema_auth","p0,auth,nonConcurrent") {
+ String suiteName = "test_http_meta_tables_schema_auth"
+ String dbName = context.config.getDbNameByFile(context.file)
+ String tableName = "${suiteName}_table"
+ String user = "${suiteName}_user"
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ sql """drop table if exists `${tableName}`"""
+ sql """
+ CREATE TABLE `${tableName}` (
+ `k1` int,
+ `k2` int
+ ) ENGINE=OLAP
+ DISTRIBUTED BY random BUCKETS auto
+ PROPERTIES ('replication_num' = '1') ;
+ """
+
+ try {
+ sql """ ADMIN SET ALL FRONTENDS CONFIG ("enable_all_http_auth" = "true");
"""
+ def getSchema = { check_func ->
+ httpTest {
+ basicAuthorization "${user}","${pwd}"
+ endpoint "${context.config.feHttpAddress}"
+ uri
"/rest/v2/api/meta/namespaces/default_cluster/databases/${dbName}/tables/${tableName}/schema"
+ op "get"
+ check check_func
+ }
+ }
+
+ getSchema.call() {
+ respCode, body ->
+ log.info("body:${body}")
+ assertTrue("${body}".contains("401"))
+ }
+
+ sql """grant select_priv on ${dbName}.${tableName} to ${user}"""
+
+ getSchema.call() {
+ respCode, body ->
+ log.info("body:${body}")
+ assertTrue("${body}".contains("${tableName}"))
+ }
+
+ sql """drop table if exists `${tableName}`"""
+ try_sql("DROP USER ${user}")
+ } finally {
+ sql """ ADMIN SET ALL FRONTENDS CONFIG ("enable_all_http_auth" =
"false"); """
+ }
+}
diff --git a/regression-test/suites/auth_p0/test_http_table_count_auth.groovy
b/regression-test/suites/auth_p0/test_http_table_count_auth.groovy
new file mode 100644
index 00000000000..2cf222b1f58
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_http_table_count_auth.groovy
@@ -0,0 +1,69 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_http_table_count_auth","p0,auth,nonConcurrent") {
+ String suiteName = "test_http_table_count_auth"
+ String dbName = context.config.getDbNameByFile(context.file)
+ String tableName = "${suiteName}_table"
+ String user = "${suiteName}_user"
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ sql """drop table if exists `${tableName}`"""
+ sql """
+ CREATE TABLE `${tableName}` (
+ `k1` int,
+ `k2` int
+ ) ENGINE=OLAP
+ DISTRIBUTED BY random BUCKETS auto
+ PROPERTIES ('replication_num' = '1') ;
+ """
+ sql """insert into ${tableName} values(1,1)"""
+ try {
+ sql """ ADMIN SET ALL FRONTENDS CONFIG ("enable_all_http_auth" = "true");
"""
+ def getCount = { check_func ->
+ httpTest {
+ basicAuthorization "${user}","${pwd}"
+ endpoint "${context.config.feHttpAddress}"
+ uri "/api/${dbName}/${tableName}/_count"
+ op "get"
+ check check_func
+ }
+ }
+
+ getCount.call() {
+ respCode, body ->
+ log.info("body:${body}")
+ assertTrue("${body}".contains("401"))
+ }
+
+ sql """grant select_priv on ${dbName}.${tableName} to ${user}"""
+
+ getCount.call() {
+ respCode, body ->
+ log.info("body:${body}")
+ assertFalse("${body}".contains("401"))
+ }
+
+ sql """drop table if exists `${tableName}`"""
+ try_sql("DROP USER ${user}")
+ } finally {
+ sql """ ADMIN SET ALL FRONTENDS CONFIG ("enable_all_http_auth" =
"false"); """
+ }
+}
diff --git a/regression-test/suites/auth_p0/test_http_table_data_auth.groovy
b/regression-test/suites/auth_p0/test_http_table_data_auth.groovy
new file mode 100644
index 00000000000..3a773894a56
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_http_table_data_auth.groovy
@@ -0,0 +1,91 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_http_table_data_auth","p0,auth,nonConcurrent") {
+ String suiteName = "test_http_table_data_auth"
+ String dbName = context.config.getDbNameByFile(context.file)
+ String tableName = "${suiteName}_table"
+ String user = "${suiteName}_user"
+ String pwd = 'C123_567p'
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ sql """drop table if exists `${tableName}`"""
+ sql """
+ CREATE TABLE `${tableName}` (
+ `k1` int,
+ `k2` int
+ ) ENGINE=OLAP
+ DISTRIBUTED BY random BUCKETS auto
+ PROPERTIES ('replication_num' = '1') ;
+ """
+ sql """insert into ${tableName} values(1,1)"""
+ try {
+ sql """ ADMIN SET ALL FRONTENDS CONFIG ("enable_all_http_auth" =
"true"); """
+ def getTableData = { check_func ->
+ httpTest {
+ basicAuthorization "${user}","${pwd}"
+ endpoint "${context.config.feHttpAddress}"
+ uri "/api/show_table_data?db=${dbName}&table=${tableName}"
+ op "get"
+ check check_func
+ }
+ }
+
+ def getDbData = { check_func ->
+ httpTest {
+ basicAuthorization "${user}","${pwd}"
+ endpoint "${context.config.feHttpAddress}"
+ uri "/api/show_table_data?db=${dbName}"
+ op "get"
+ check check_func
+ }
+ }
+
+ getTableData.call() {
+ respCode, body ->
+ log.info("body:${body}")
+ assertTrue("${body}".contains("401"))
+ }
+
+ getDbData.call() {
+ respCode, body ->
+ log.info("body:${body}")
+ assertFalse("${body}".contains("${tableName}"))
+ }
+
+ sql """grant select_priv on ${dbName}.${tableName} to ${user}"""
+
+ getTableData.call() {
+ respCode, body ->
+ log.info("body:${body}")
+ assertTrue("${body}".contains("${tableName}"))
+ }
+
+ getDbData.call() {
+ respCode, body ->
+ log.info("body:${body}")
+ assertTrue("${body}".contains("${tableName}"))
+ }
+
+ sql """drop table if exists `${tableName}`"""
+ try_sql("DROP USER ${user}")
+ } finally {
+ sql """ ADMIN SET ALL FRONTENDS CONFIG ("enable_all_http_auth" =
"false"); """
+ }
+}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org
