(doris) branch master updated: [fix](auth)Fix use encryptkey should check auth (#41791)

Thu, 17 Oct 2024 19:45:21 -0700 

This is an automated email from the ASF dual-hosted git repository.

starocean999 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git


The following commit(s) were added to refs/heads/master by this push:
     new 3c7b79931ef [fix](auth)Fix use encryptkey should check auth (#41791)
3c7b79931ef is described below

commit 3c7b79931ef93a381df386bf99ab82a3d668c804
Author: zhangdong <493738...@qq.com>
AuthorDate: Fri Oct 18 10:44:56 2024 +0800

    [fix](auth)Fix use encryptkey should check auth (#41791)
    
    check PrivPredicate.SHOW of db
---
 .../expression/rules/FoldConstantRuleOnFE.java     | 10 ++++
 .../suites/auth_p0/test_use_encryptkey_auth.groovy | 55 ++++++++++++++++++++++
 2 files changed, 65 insertions(+)

diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/expression/rules/FoldConstantRuleOnFE.java
 
b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/expression/rules/FoldConstantRuleOnFE.java
index 7fad2d80ac8..1857ddd0577 100644
--- 
a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/expression/rules/FoldConstantRuleOnFE.java
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/expression/rules/FoldConstantRuleOnFE.java
@@ -20,7 +20,10 @@ package org.apache.doris.nereids.rules.expression.rules;
 import org.apache.doris.catalog.EncryptKey;
 import org.apache.doris.catalog.Env;
 import org.apache.doris.cluster.ClusterNamespace;
+import org.apache.doris.common.ErrorCode;
 import org.apache.doris.common.util.DebugUtil;
+import org.apache.doris.datasource.InternalCatalog;
+import org.apache.doris.mysql.privilege.PrivPredicate;
 import org.apache.doris.nereids.exceptions.AnalysisException;
 import org.apache.doris.nereids.rules.expression.AbstractExpressionRewriteRule;
 import org.apache.doris.nereids.rules.expression.ExpressionListenerMatcher;
@@ -226,6 +229,13 @@ public class FoldConstantRuleOnFE extends 
AbstractExpressionRewriteRule
         if ("".equals(dbName)) {
             throw new AnalysisException("DB " + dbName + "not found");
         }
+        if (!Env.getCurrentEnv().getAccessManager()
+                .checkDbPriv(ConnectContext.get(), 
InternalCatalog.INTERNAL_CATALOG_NAME,
+                        dbName, PrivPredicate.SHOW)) {
+            String message = 
ErrorCode.ERR_DB_ACCESS_DENIED_ERROR.formatErrorMsg(
+                    PrivPredicate.SHOW.getPrivs().toString(), dbName);
+            throw new AnalysisException(message);
+        }
         org.apache.doris.catalog.Database database =
                 Env.getCurrentEnv().getInternalCatalog().getDbNullable(dbName);
         if (database == null) {
diff --git a/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy 
b/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy
new file mode 100644
index 00000000000..78fc2e4c8a8
--- /dev/null
+++ b/regression-test/suites/auth_p0/test_use_encryptkey_auth.groovy
@@ -0,0 +1,55 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_use_encryptkey_auth","p0,auth") {
+    String suiteName = "test_version_info_mtmv"
+    String dbName = context.config.getDbNameByFile(context.file)
+    String user = "${suiteName}_user"
+    String key = "${suiteName}_key"
+    String pwd = 'C123_567p'
+    try_sql("DROP USER ${user}")
+    try_sql("DROP ENCRYPTKEY ${key}")
+    sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+    sql """grant select_priv on regression_test to ${user}"""
+    //cloud-mode
+    if (isCloudMode()) {
+        def clusters = sql " SHOW CLUSTERS; "
+        assertTrue(!clusters.isEmpty())
+        def validCluster = clusters[0][0]
+        sql """GRANT USAGE_PRIV ON CLUSTER ${validCluster} TO ${user}""";
+    }
+    sql """CREATE ENCRYPTKEY ${key} AS 'ABCD123456789'"""
+
+    connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+        test {
+              sql """
+                  SELECT HEX(AES_ENCRYPT("Doris is Great", KEY 
${dbName}.${key}));
+              """
+              exception "denied"
+          }
+    }
+    sql """grant select_priv on ${dbName} to ${user}"""
+    connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+          sql """
+              SELECT HEX(AES_ENCRYPT("Doris is Great", KEY ${dbName}.${key}));
+          """
+    }
+    try_sql("DROP USER ${user}")
+    try_sql("DROP ENCRYPTKEY ${key}")
+}


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org

Reply via email to