(doris) branch branch-3.0 updated: branch-3.0: [fix](profile) Change the check of whether the username is admin and root to check whether the user specifically corresponds to admin permissions #41714 (#44864)

Thu, 26 Dec 2024 19:49:29 -0800 

This is an automated email from the ASF dual-hosted git repository.

morningman pushed a commit to branch branch-3.0
in repository https://gitbox.apache.org/repos/asf/doris.git


The following commit(s) were added to refs/heads/branch-3.0 by this push:
     new c4f8591652e branch-3.0: [fix](profile) Change the check of whether the 
username is admin and root to check whether the user specifically corresponds 
to admin permissions #41714 (#44864)
c4f8591652e is described below

commit c4f8591652e6295323648417ef79786970d4d825
Author: github-actions[bot] 
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Fri Dec 27 11:47:33 2024 +0800

    branch-3.0: [fix](profile) Change the check of whether the username is 
admin and root to check whether the user specifically corresponds to admin 
permissions #41714 (#44864)
    
    Cherry-picked from #41714
    
    Co-authored-by: xyf <116467462+xyf...@users.noreply.github.com>
---
 .../httpv2/rest/manager/QueryProfileAction.java    |  2 +-
 .../test_http_permissions_check_auth.groovy        | 66 ++++++++++++++++++++++
 2 files changed, 67 insertions(+), 1 deletion(-)

diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/manager/QueryProfileAction.java
 
b/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/manager/QueryProfileAction.java
index 8c3dfa73aea..0886edb56fb 100644
--- 
a/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/manager/QueryProfileAction.java
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/manager/QueryProfileAction.java
@@ -419,7 +419,7 @@ public class QueryProfileAction extends RestBaseController {
 
     private void checkAuthByUserAndQueryId(String queryId) throws 
AuthenticationException {
         String user = 
ConnectContext.get().getCurrentUserIdentity().getQualifiedUser();
-        if (!user.equalsIgnoreCase(Auth.ADMIN_USER) && 
!user.equalsIgnoreCase(Auth.ROOT_USER)) {
+        if 
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), 
PrivPredicate.ADMIN)) {
             ProfileManager.getInstance().checkAuthByUserAndQueryId(user, 
queryId);
         }
     }
diff --git 
a/regression-test/suites/http_auth_check/test_http_permissions_check_auth.groovy
 
b/regression-test/suites/http_auth_check/test_http_permissions_check_auth.groovy
new file mode 100644
index 00000000000..36c6241a244
--- /dev/null
+++ 
b/regression-test/suites/http_auth_check/test_http_permissions_check_auth.groovy
@@ -0,0 +1,66 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_http_permissions_check_auth","p0,auth") {
+    String suiteName = "test_http_permissions_check_auth"
+    String tableName = "${suiteName}_table"
+    String user = "${suiteName}_user"
+    String pwd = 'C123_567p'
+    try_sql("DROP USER ${user}")
+    sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+    sql """drop table if exists `${tableName}`"""
+    sql """
+        CREATE TABLE `${tableName}` (
+          `k1` int,
+          `k2` int
+        ) ENGINE=OLAP
+        DISTRIBUTED BY random BUCKETS auto
+        PROPERTIES ('replication_num' = '1') ;
+        """
+    sql """insert into ${tableName} values(1,1)"""
+    sql """set session_context = 'trace_id:mmn9';"""
+    sql """select * from ${tableName};"""
+
+    def get_queryid_by_traceid = { check_func ->
+        httpTest {
+            basicAuthorization "${user}","${pwd}"
+            endpoint "${context.config.feHttpAddress}"
+            uri "/rest/v2/manager/query/trace_id/mmn9"
+            op "get"
+            check check_func
+        }
+    }
+
+    get_queryid_by_traceid.call() {
+        respCode, body ->
+            log.info("body:${body}")
+            assertTrue("${body}".contains("Bad Request"))
+    }
+
+    sql """grant 'admin' to ${user}"""
+
+    get_queryid_by_traceid.call() {
+        respCode, body ->
+            log.info("body:${body}")
+            assertTrue("${body}".contains("success"))
+    }
+
+    sql """drop table if exists `${tableName}`"""
+    try_sql("DROP USER ${user}")
+}


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org

Reply via email to