This is an automated email from the ASF dual-hosted git repository.
yiguolei pushed a commit to branch branch-2.1
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/branch-2.1 by this push:
new 54b3000de51 [fix](auth)create view check select_priv of table instead
of column (#49268)
54b3000de51 is described below
commit 54b3000de513b4be95e90ff776a2a6f44960b3cc
Author: zhangdong <zhangd...@selectdb.com>
AuthorDate: Thu Mar 20 23:08:58 2025 +0800
[fix](auth)create view check select_priv of table instead of column (#49268)
---
.../org/apache/doris/analysis/AlterViewStmt.java | 2 +-
.../org/apache/doris/analysis/BaseViewStmt.java | 32 ++++------------
.../org/apache/doris/analysis/CreateViewStmt.java | 2 +-
.../suites/auth_call/test_ddl_view_auth.groovy | 44 ++++++++--------------
.../suites/auth_p0/test_alter_view_auth.groovy | 2 +-
.../suites/auth_p0/test_create_view_auth.groovy | 2 +-
6 files changed, 28 insertions(+), 56 deletions(-)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterViewStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterViewStmt.java
index 39ea2ff1294..73570515e37 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterViewStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterViewStmt.java
@@ -74,7 +74,7 @@ public class AlterViewStmt extends BaseViewStmt {
viewDefStmt.setNeedToSql(true);
Analyzer viewAnalyzer = new Analyzer(analyzer);
viewDefStmt.analyze(viewAnalyzer);
- checkQueryAuth();
+ checkQueryAuth(viewAnalyzer);
createColumnAndViewDefs(analyzer);
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/BaseViewStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/BaseViewStmt.java
index d33c234af11..77b4bc563d4 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/BaseViewStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/BaseViewStmt.java
@@ -18,7 +18,7 @@
package org.apache.doris.analysis;
import org.apache.doris.catalog.Column;
-import org.apache.doris.catalog.Env;
+import org.apache.doris.catalog.TableIf;
import org.apache.doris.catalog.Type;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.DdlException;
@@ -27,19 +27,18 @@ import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.UserException;
import org.apache.doris.common.util.SqlParserUtils;
import org.apache.doris.common.util.ToSqlContext;
-import org.apache.doris.datasource.InternalCatalog;
-import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
import com.google.common.base.Preconditions;
import com.google.common.collect.Lists;
+import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
-import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import java.io.StringReader;
import java.util.List;
+import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
@@ -92,26 +91,11 @@ public class BaseViewStmt extends DdlStmt {
return inlineViewDef;
}
- protected void checkQueryAuth() throws UserException {
- for (int i = 0; i < viewDefStmt.getBaseTblResultExprs().size(); ++i) {
- Expr expr = viewDefStmt.getBaseTblResultExprs().get(i);
- if (!(expr instanceof SlotRef)) {
- continue;
- }
- SlotRef slotRef = (SlotRef) expr;
- TableName queryTableName = slotRef.getTableName();
- if (queryTableName == null) {
- continue;
- }
- String queryColumnName = slotRef.getColumnName();
- String ctlName = StringUtils.isEmpty(queryTableName.getCtl()) ?
InternalCatalog.INTERNAL_CATALOG_NAME
- : queryTableName.getCtl();
- // check privilege
- Env.getCurrentEnv().getAccessManager()
-
.checkColumnsPriv(ConnectContext.get().getCurrentUserIdentity(), ctlName,
- queryTableName.getDb(), queryTableName.getTbl(),
Sets.newHashSet(queryColumnName),
- PrivPredicate.SELECT);
- }
+ protected void checkQueryAuth(Analyzer analyzer) throws UserException {
+ Map<Long, TableIf> tableMap = Maps.newTreeMap();
+ Set<String> parentViewNameSet = Sets.newHashSet();
+ // not really want to obtain tables, but rather use the authentication
logic in this method
+ viewDefStmt.getTables(analyzer, false, tableMap, parentViewNameSet);
}
/**
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateViewStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateViewStmt.java
index 50b658a48aa..512818309a2 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateViewStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateViewStmt.java
@@ -96,7 +96,7 @@ public class CreateViewStmt extends BaseViewStmt {
Analyzer viewAnalyzer = new Analyzer(analyzer);
viewDefStmt.forbiddenMVRewrite();
viewDefStmt.analyze(viewAnalyzer);
- checkQueryAuth();
+ checkQueryAuth(viewAnalyzer);
createColumnAndViewDefs(viewAnalyzer);
} finally {
// must reset this flag, otherwise, all following query statement
in this connection
diff --git a/regression-test/suites/auth_call/test_ddl_view_auth.groovy
b/regression-test/suites/auth_call/test_ddl_view_auth.groovy
index 46930c7e3de..f90bab9dc8e 100644
--- a/regression-test/suites/auth_call/test_ddl_view_auth.groovy
+++ b/regression-test/suites/auth_call/test_ddl_view_auth.groovy
@@ -66,24 +66,22 @@ suite("test_ddl_view_auth","p0,auth_call") {
exception 'denied'
}
}
- sql """grant select_priv(id) on ${dbName}.${tableName} to ${user}"""
- connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
- test {
- sql """CREATE VIEW ${dbName}.${viewName} (k1, v1)
- AS
- SELECT id as k1, SUM(id) FROM ${dbName}.${tableName}
- WHERE id = 1 GROUP BY k1;"""
- exception 'denied'
- }
- def res = sql """SHOW VIEW from ${tableName} from ${dbName}"""
- assertTrue(res.size() == 0)
- }
- sql """CREATE VIEW ${dbName}.${viewName} (k1, v1)
- AS
- SELECT id as k1, SUM(id) FROM ${dbName}.${tableName}
- WHERE id = 1 GROUP BY k1;"""
- sql """grant Create_priv on ${dbName}.${viewName} to ${user}"""
- sql """drop view ${dbName}.${viewName}"""
+ sql """grant Create_priv on ${dbName}.${viewName} to ${user}"""
+ connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+ test {
+ sql """CREATE VIEW ${dbName}.${viewName} (k1, v1)
+ AS
+ SELECT id as k1, SUM(id) FROM ${dbName}.${tableName}
+ WHERE id = 1 GROUP BY k1;"""
+ exception "denied"
+ }
+ test {
+ sql """SHOW VIEW from ${tableName} from ${dbName}"""
+ exception 'denied'
+ }
+ }
+ sql """grant select_priv on ${dbName}.${tableName} to ${user}"""
+
connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
sql """CREATE VIEW ${dbName}.${viewName} (k1, v1)
AS
@@ -93,16 +91,6 @@ suite("test_ddl_view_auth","p0,auth_call") {
def res = sql """SHOW VIEW from ${tableName} from ${dbName}"""
assertTrue(res.size() == 1)
}
- connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
- sql """set enable_fallback_to_original_planner=false;"""
- test {
- sql """CREATE VIEW ${dbName}.${viewName} (k1, v1)
- AS
- SELECT username as k1, SUM(id) FROM ${dbName}.${tableName}
- WHERE id = 1 GROUP BY k1;"""
- exception 'denied'
- }
- }
// ddl alter
// user alter
diff --git a/regression-test/suites/auth_p0/test_alter_view_auth.groovy
b/regression-test/suites/auth_p0/test_alter_view_auth.groovy
index 137af46f32f..2d8c99e95ae 100644
--- a/regression-test/suites/auth_p0/test_alter_view_auth.groovy
+++ b/regression-test/suites/auth_p0/test_alter_view_auth.groovy
@@ -56,7 +56,7 @@ suite("test_alter_view_auth","p0,auth") {
sql "alter view ${dbName}.${viewName} as select * from
${dbName}.${tableName};"
} catch (Exception e) {
log.info(e.getMessage())
- assertTrue(e.getMessage().contains("Admin_priv,Select_priv"))
+ assertTrue(e.getMessage().contains("denied"))
}
}
try_sql """drop table if exists ${dbName}.${tableName}"""
diff --git a/regression-test/suites/auth_p0/test_create_view_auth.groovy
b/regression-test/suites/auth_p0/test_create_view_auth.groovy
index 7e2e253123c..54f32ebd1fd 100644
--- a/regression-test/suites/auth_p0/test_create_view_auth.groovy
+++ b/regression-test/suites/auth_p0/test_create_view_auth.groovy
@@ -53,7 +53,7 @@ suite("test_create_view_auth","p0,auth") {
sql "create view ${dbName}.v1 as select * from
${dbName}.${tableName};"
} catch (Exception e) {
log.info(e.getMessage())
- assertTrue(e.getMessage().contains("Admin_priv,Select_priv"))
+ assertTrue(e.getMessage().contains("denied"))
}
}
sql """drop table if exists ${dbName}.${tableName}"""
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org
