This is an automated email from the ASF dual-hosted git repository.
yiguolei pushed a commit to branch branch-2.1
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/branch-2.1 by this push:
new b16821f0182 branch-2.1: [fix](auth)Prohibit other users from modifying
the root #48752 (#49585)
b16821f0182 is described below
commit b16821f018226c30a78fcc8a145614d4b812df37
Author: github-actions[bot]
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Fri Mar 28 09:54:32 2025 +0800
branch-2.1: [fix](auth)Prohibit other users from modifying the root #48752
(#49585)
Cherry-picked from #48752
Co-authored-by: zhangdong <zhangd...@selectdb.com>
---
.../org/apache/doris/analysis/AlterUserStmt.java | 8 ++++
.../suites/account_p0/test_root_user.groovy | 45 ++++++++++++++++++++++
2 files changed, 53 insertions(+)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterUserStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterUserStmt.java
index 544a106b3ba..95084777575 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterUserStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/AlterUserStmt.java
@@ -18,10 +18,12 @@
package org.apache.doris.analysis;
import org.apache.doris.catalog.Env;
+import org.apache.doris.cluster.ClusterNamespace;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.UserException;
+import org.apache.doris.mysql.privilege.Auth;
import org.apache.doris.mysql.privilege.PasswordPolicy.FailedLoginPolicy;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
@@ -133,6 +135,12 @@ public class AlterUserStmt extends DdlStmt {
throw new AnalysisException("Only support doing one type of
operation at one time");
}
+ if (userDesc.getUserIdent().getQualifiedUser().equals(Auth.ROOT_USER)
+ &&
!ClusterNamespace.getNameFromFullName(ConnectContext.get().getQualifiedUser())
+ .equals(Auth.ROOT_USER)) {
+ throw new AnalysisException("Only root user can modify root user");
+ }
+
if
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(),
PrivPredicate.GRANT)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
"GRANT");
}
diff --git a/regression-test/suites/account_p0/test_root_user.groovy
b/regression-test/suites/account_p0/test_root_user.groovy
new file mode 100644
index 00000000000..7296120a8b8
--- /dev/null
+++ b/regression-test/suites/account_p0/test_root_user.groovy
@@ -0,0 +1,45 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_root_user", "account") {
+ String suiteName = "test_root_user"
+ String user = "${suiteName}_user"
+ String pwd = 'C123_567p'
+
+ try_sql("DROP USER ${user}")
+ sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+ sql """GRANT ADMIN_PRIV ON *.*.* TO ${user}"""
+ connect(user, "${pwd}", context.config.jdbcUrl) {
+ test {
+ sql """
+ alter user root identified by '123456';
+ """
+ exception "root"
+ }
+
+ test {
+ sql """
+ set password for 'root' = password('123456');
+ """
+ exception "root"
+ }
+ }
+
+}
+
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org
