(doris) branch branch-2.1 updated: branch-2.1: [fix](auth)Privatize the authentication methods in the Auth class to avoid being called incorrectly #48033 (#48531)

Tue, 04 Mar 2025 20:33:39 -0800 

This is an automated email from the ASF dual-hosted git repository.

yiguolei pushed a commit to branch branch-2.1
in repository https://gitbox.apache.org/repos/asf/doris.git


The following commit(s) were added to refs/heads/branch-2.1 by this push:
     new d786948b616 branch-2.1: [fix](auth)Privatize the authentication 
methods in the Auth class to avoid being called incorrectly #48033 (#48531)
d786948b616 is described below

commit d786948b61654959053eb5ebe113c8e9024d8393
Author: zhangdong <zhangd...@selectdb.com>
AuthorDate: Wed Mar 5 12:33:18 2025 +0800

    branch-2.1: [fix](auth)Privatize the authentication methods in the Auth 
class to avoid being called incorrectly #48033 (#48531)
    
    Cherry-picked from https://github.com/apache/doris/pull/48033
---
 .../src/main/java/org/apache/doris/mysql/privilege/Auth.java | 12 ++++++------
 .../trees/plans/commands/call/CallExecuteStmtFunc.java       |  2 +-
 .../trees/plans/commands/call/CallFlushAuditLogFunc.java     |  2 +-
 .../apache/doris/tablefunction/QueryTableValueFunction.java  |  2 +-
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java 
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
index 7346daddd7c..e5161a8cc2a 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
@@ -278,7 +278,7 @@ public class Auth implements Writable {
     }
 
     // ==== Catalog ====
-    public boolean checkCtlPriv(UserIdentity currentUser, String ctl, 
PrivPredicate wanted) {
+    protected boolean checkCtlPriv(UserIdentity currentUser, String ctl, 
PrivPredicate wanted) {
         if (wanted.getPrivs().containsNodePriv()) {
             if (LOG.isDebugEnabled()) {
                 LOG.debug("should not check NODE priv in catalog level. user: 
{}, catalog: {}",
@@ -301,7 +301,7 @@ public class Auth implements Writable {
     }
 
     // ==== Database ====
-    public boolean checkDbPriv(UserIdentity currentUser, String ctl, String 
db, PrivPredicate wanted) {
+    protected boolean checkDbPriv(UserIdentity currentUser, String ctl, String 
db, PrivPredicate wanted) {
         if (wanted.getPrivs().containsNodePriv()) {
             if (LOG.isDebugEnabled()) {
                 LOG.debug("should not check NODE priv in Database level. user: 
{}, db: {}",
@@ -325,7 +325,7 @@ public class Auth implements Writable {
     }
 
     // ==== Table ====
-    public boolean checkTblPriv(UserIdentity currentUser, String ctl, String 
db, String tbl, PrivPredicate wanted) {
+    protected boolean checkTblPriv(UserIdentity currentUser, String ctl, 
String db, String tbl, PrivPredicate wanted) {
         if (wanted.getPrivs().containsNodePriv()) {
             if (LOG.isDebugEnabled()) {
                 LOG.debug("should check NODE priv in GLOBAL level. user: {}, 
db: {}, tbl: {}", currentUser, db, tbl);
@@ -349,7 +349,7 @@ public class Auth implements Writable {
     // ==== Column ====
     // The reason why this method throws an exception instead of returning a 
boolean is to
     // indicate which col does not have permission
-    public void checkColsPriv(UserIdentity currentUser, String ctl, String db, 
String tbl, Set<String> cols,
+    protected void checkColsPriv(UserIdentity currentUser, String ctl, String 
db, String tbl, Set<String> cols,
             PrivPredicate wanted) throws AuthorizationException {
         Set<Role> roles = getRolesByUserWithLdap(currentUser);
         for (String col : cols) {
@@ -372,7 +372,7 @@ public class Auth implements Writable {
     }
 
     // ==== Resource ====
-    public boolean checkResourcePriv(UserIdentity currentUser, String 
resourceName, PrivPredicate wanted) {
+    protected boolean checkResourcePriv(UserIdentity currentUser, String 
resourceName, PrivPredicate wanted) {
         readLock();
         try {
             Set<Role> roles = getRolesByUserWithLdap(currentUser);
@@ -388,7 +388,7 @@ public class Auth implements Writable {
     }
 
     // ==== Workload Group ====
-    public boolean checkWorkloadGroupPriv(UserIdentity currentUser, String 
workloadGroupName, PrivPredicate wanted) {
+    protected boolean checkWorkloadGroupPriv(UserIdentity currentUser, String 
workloadGroupName, PrivPredicate wanted) {
         readLock();
         try {
             // currently stream load not support ip based auth, so normal 
should not auth temporary
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/call/CallExecuteStmtFunc.java
 
b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/call/CallExecuteStmtFunc.java
index 1e36915c111..4302d277708 100644
--- 
a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/call/CallExecuteStmtFunc.java
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/call/CallExecuteStmtFunc.java
@@ -92,7 +92,7 @@ public class CallExecuteStmtFunc extends CallFunc {
         }
 
         // check priv
-        if (!Env.getCurrentEnv().getAuth().checkCtlPriv(user, catalogName, 
PrivPredicate.LOAD)) {
+        if (!Env.getCurrentEnv().getAccessManager().checkCtlPriv(user, 
catalogName, PrivPredicate.LOAD)) {
             throw new AnalysisException("user " + user + " has no privilege to 
execute stmt in catalog " + catalogName);
         }
 
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/call/CallFlushAuditLogFunc.java
 
b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/call/CallFlushAuditLogFunc.java
index 60cae55e7f5..8d0beef4e67 100644
--- 
a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/call/CallFlushAuditLogFunc.java
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/call/CallFlushAuditLogFunc.java
@@ -48,7 +48,7 @@ public class CallFlushAuditLogFunc extends CallFunc {
     @Override
     public void run() {
         // check priv
-        if (!Env.getCurrentEnv().getAuth().checkGlobalPriv(user, 
PrivPredicate.ADMIN)) {
+        if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(user, 
PrivPredicate.ADMIN)) {
             throw new AnalysisException("Only admin can flush audit log");
         }
         // flush audit log
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/tablefunction/QueryTableValueFunction.java
 
b/fe/fe-core/src/main/java/org/apache/doris/tablefunction/QueryTableValueFunction.java
index 07a125836b7..269ebdeab42 100644
--- 
a/fe/fe-core/src/main/java/org/apache/doris/tablefunction/QueryTableValueFunction.java
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/tablefunction/QueryTableValueFunction.java
@@ -62,7 +62,7 @@ public abstract class QueryTableValueFunction extends 
TableValuedFunctionIf {
 
         // check priv
         UserIdentity userIdentity = 
ConnectContext.get().getCurrentUserIdentity();
-        if (!Env.getCurrentEnv().getAuth().checkCtlPriv(userIdentity, 
catalogName, PrivPredicate.SELECT)) {
+        if (!Env.getCurrentEnv().getAccessManager().checkCtlPriv(userIdentity, 
catalogName, PrivPredicate.SELECT)) {
             throw new org.apache.doris.nereids.exceptions.AnalysisException(
                     "user " + userIdentity + " has no privilege to query in 
catalog " + catalogName);
         }


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org

Reply via email to