You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@doris.apache.org by mo...@apache.org on 2022/06/21 06:47:00 UTC
[doris] branch revert-10246-datalake-auth created (now 18eb613eee)
This is an automated email from the ASF dual-hosted git repository.
morningman pushed a change to branch revert-10246-datalake-auth
in repository https://gitbox.apache.org/repos/asf/doris.git
at 18eb613eee Revert "[feature-wip](multi-catalog) add CatalogPrivTable to support unified authority management of datalake (#10246)"
This branch includes the following new commits:
new 18eb613eee Revert "[feature-wip](multi-catalog) add CatalogPrivTable to support unified authority management of datalake (#10246)"
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org
[doris] 01/01: Revert "[feature-wip](multi-catalog) add CatalogPrivTable to support unified authority management of datalake (#10246)"
Posted by mo...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
morningman pushed a commit to branch revert-10246-datalake-auth
in repository https://gitbox.apache.org/repos/asf/doris.git
commit 18eb613eeedd5d55806f8fafde38757054093c49
Author: Mingyu Chen <mo...@gmail.com>
AuthorDate: Tue Jun 21 14:46:55 2022 +0800
Revert "[feature-wip](multi-catalog) add CatalogPrivTable to support unified authority management of datalake (#10246)"
This reverts commit 41cb4c8f9cf1b58fb33a1e46d2b7db803a15a59f.
---
.../org/apache/doris/common/FeMetaVersion.java | 4 +-
.../java/org/apache/doris/analysis/Analyzer.java | 4 -
.../java/org/apache/doris/analysis/GrantStmt.java | 4 +-
.../java/org/apache/doris/analysis/RevokeStmt.java | 2 +-
.../org/apache/doris/analysis/ShowRolesStmt.java | 1 -
.../java/org/apache/doris/analysis/TableName.java | 79 +++------
.../org/apache/doris/analysis/TablePattern.java | 91 +++-------
.../org/apache/doris/common/CaseSensibility.java | 1 -
.../java/org/apache/doris/common/ErrorCode.java | 2 +-
.../java/org/apache/doris/common/FeNameFormat.java | 8 -
.../org/apache/doris/common/proc/AuthProcDir.java | 4 +-
.../doris/mysql/privilege/CatalogPrivEntry.java | 136 ---------------
.../doris/mysql/privilege/CatalogPrivTable.java | 73 --------
.../apache/doris/mysql/privilege/DbPrivEntry.java | 52 +++---
.../apache/doris/mysql/privilege/DbPrivTable.java | 31 +++-
.../org/apache/doris/mysql/privilege/PaloAuth.java | 188 +++++----------------
.../apache/doris/mysql/privilege/PrivEntry.java | 16 --
.../apache/doris/mysql/privilege/PrivTable.java | 21 ---
.../apache/doris/mysql/privilege/RoleManager.java | 78 ++++++---
.../doris/mysql/privilege/TablePrivEntry.java | 60 ++++---
.../doris/mysql/privilege/TablePrivTable.java | 37 ++--
.../doris/mysql/privilege/UserPrivTable.java | 52 +++---
.../java/org/apache/doris/qe/ConnectContext.java | 11 --
.../org/apache/doris/mysql/privilege/AuthTest.java | 7 +-
.../doris/mysql/privilege/PrivEntryTest.java | 6 +-
25 files changed, 291 insertions(+), 677 deletions(-)
diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/FeMetaVersion.java b/fe/fe-common/src/main/java/org/apache/doris/common/FeMetaVersion.java
index 1a5d6da4ce..70cacd7a1c 100644
--- a/fe/fe-common/src/main/java/org/apache/doris/common/FeMetaVersion.java
+++ b/fe/fe-common/src/main/java/org/apache/doris/common/FeMetaVersion.java
@@ -40,10 +40,8 @@ public final class FeMetaVersion {
public static final int VERSION_109 = 109;
// For routine load user info
public static final int VERSION_110 = 110;
- // add catalog PrivTable in PaloAuth to support unified privilege management
- public static final int VERSION_111 = 111;
// note: when increment meta version, should assign the latest version to VERSION_CURRENT
- public static final int VERSION_CURRENT = VERSION_111;
+ public static final int VERSION_CURRENT = VERSION_110;
// all logs meta version should >= the minimum version, so that we could remove many if clause, for example
// if (FE_METAVERSION < VERSION_94) ...
diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/Analyzer.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/Analyzer.java
index 8b35987710..997891253f 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/Analyzer.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/Analyzer.java
@@ -1935,10 +1935,6 @@ public class Analyzer {
return globalState.context.getConnectionId();
}
- public String getDefaultCatalog() {
- return globalState.context.getDefaultCatalog();
- }
-
public String getDefaultDb() {
return globalState.context.getDatabase();
}
diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java
index 4ad8fe8073..4e849e7c61 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java
@@ -107,7 +107,7 @@ public class GrantStmt extends DdlStmt {
}
if (tblPattern != null) {
- tblPattern.analyze(analyzer);
+ tblPattern.analyze(analyzer.getClusterName());
} else {
// TODO(wyb): spark-load
if (!Config.enable_spark_load) {
@@ -148,7 +148,7 @@ public class GrantStmt extends DdlStmt {
// Rule 1
if (tblPattern.getPrivLevel() != PrivLevel.GLOBAL && (privileges.contains(PaloPrivilege.ADMIN_PRIV)
|| privileges.contains(PaloPrivilege.NODE_PRIV))) {
- throw new AnalysisException("ADMIN_PRIV and NODE_PRIV can only be granted on *.*.*");
+ throw new AnalysisException("ADMIN_PRIV and NODE_PRIV can only be granted on *.*");
}
// Rule 2
diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/RevokeStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/RevokeStmt.java
index 98b36b4968..c84f490ddf 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/RevokeStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/RevokeStmt.java
@@ -97,7 +97,7 @@ public class RevokeStmt extends DdlStmt {
}
if (tblPattern != null) {
- tblPattern.analyze(analyzer);
+ tblPattern.analyze(analyzer.getClusterName());
} else {
// TODO(wyb): spark-load
if (!Config.enable_spark_load) {
diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowRolesStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowRolesStmt.java
index 4e8c96e2b9..47b9bacda2 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowRolesStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowRolesStmt.java
@@ -36,7 +36,6 @@ public class ShowRolesStmt extends ShowStmt {
builder.addColumn(new Column("Name", ScalarType.createVarchar(100)));
builder.addColumn(new Column("Users", ScalarType.createVarchar(100)));
builder.addColumn(new Column("GlobalPrivs", ScalarType.createVarchar(300)));
- builder.addColumn(new Column("CatalogPrivs", ScalarType.createVarchar(300)));
builder.addColumn(new Column("DatabasePrivs", ScalarType.createVarchar(300)));
builder.addColumn(new Column("TablePrivs", ScalarType.createVarchar(300)));
builder.addColumn(new Column("ResourcePrivs", ScalarType.createVarchar(300)));
diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/TableName.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/TableName.java
index ff1bb7bc09..047d518e16 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/TableName.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/TableName.java
@@ -25,54 +25,32 @@ import org.apache.doris.cluster.ClusterNamespace;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
-import org.apache.doris.common.FeMetaVersion;
import org.apache.doris.common.io.Text;
import org.apache.doris.common.io.Writable;
-import org.apache.doris.datasource.InternalDataSource;
-import org.apache.doris.persist.gson.GsonUtils;
import com.google.common.base.Strings;
-import com.google.gson.annotations.SerializedName;
import java.io.DataInput;
import java.io.DataOutput;
import java.io.IOException;
-import java.util.Objects;
-import java.util.stream.Collectors;
-import java.util.stream.Stream;
public class TableName implements Writable {
- @SerializedName(value = "ctl")
- private String ctl;
- @SerializedName(value = "tbl")
private String tbl;
- @SerializedName(value = "db")
private String db;
public TableName() {
}
- public TableName(String ctl, String db, String tbl) {
+ public TableName(String db, String tbl) {
if (Catalog.isStoredTableNamesLowerCase() && !Strings.isNullOrEmpty(tbl)) {
tbl = tbl.toLowerCase();
}
- this.ctl = ctl;
this.db = db;
this.tbl = tbl;
}
- /**
- * Initialize catalog in analyze.
- */
- public TableName(String db, String tbl) {
- this(null, db, tbl);
- }
-
public void analyze(Analyzer analyzer) throws AnalysisException {
- if (Strings.isNullOrEmpty(ctl)) {
- ctl = analyzer.getDefaultCatalog();
- }
if (Strings.isNullOrEmpty(db)) {
db = analyzer.getDefaultDb();
if (Strings.isNullOrEmpty(db)) {
@@ -90,14 +68,6 @@ public class TableName implements Writable {
}
}
- public String getCtl() {
- return ctl;
- }
-
- public void setCtl(String ctl) {
- this.ctl = ctl;
- }
-
public String getDb() {
return db;
}
@@ -115,22 +85,33 @@ public class TableName implements Writable {
}
/**
- * Returns true if this name has a non-empty catalog and a non-empty database field
- * and a non-empty table name.
+ * Returns true if this name has a non-empty database field and a non-empty
+ * table name.
*/
public boolean isFullyQualified() {
- return ctl != null && !ctl.isEmpty() && db != null && !db.isEmpty() && !tbl.isEmpty();
+ return db != null && !db.isEmpty() && !tbl.isEmpty();
}
public String getNoClusterString() {
- return Stream.of(ctl, ClusterNamespace.getNameFromFullName(db), tbl)
- .filter(Objects::nonNull)
- .collect(Collectors.joining("."));
+ if (db == null) {
+ return tbl;
+ } else {
+ String dbName = ClusterNamespace.getNameFromFullName(db);
+ if (dbName == null) {
+ return db + "." + tbl;
+ } else {
+ return dbName + "." + tbl;
+ }
+ }
}
@Override
public String toString() {
- return Stream.of(ctl, db, tbl).filter(Objects::nonNull).collect(Collectors.joining("."));
+ if (db == null) {
+ return tbl;
+ } else {
+ return db + "." + tbl;
+ }
}
@Override
@@ -146,9 +127,6 @@ public class TableName implements Writable {
public String toSql() {
StringBuilder stringBuilder = new StringBuilder();
- if (ctl != null) {
- stringBuilder.append("`").append(ctl).append("`.");
- }
if (db != null) {
stringBuilder.append("`").append(db).append("`.");
}
@@ -158,24 +136,17 @@ public class TableName implements Writable {
@Override
public void write(DataOutput out) throws IOException {
- String json = GsonUtils.GSON.toJson(this);
- Text.writeString(out, json);
+ Text.writeString(out, db);
+ Text.writeString(out, tbl);
}
public void readFields(DataInput in) throws IOException {
- if (Catalog.getCurrentCatalogJournalVersion() >= FeMetaVersion.VERSION_111) {
- TableName fromJson = GsonUtils.GSON.fromJson(Text.readString(in), TableName.class);
- ctl = fromJson.ctl;
- db = fromJson.db;
- tbl = fromJson.tbl;
- } else {
- ctl = InternalDataSource.INTERNAL_DS_NAME;
- db = Text.readString(in);
- tbl = Text.readString(in);
- }
+ db = Text.readString(in);
+ tbl = Text.readString(in);
}
public TableName cloneWithoutAnalyze() {
- return new TableName(this.ctl, this.db, this.tbl);
+ TableName tableName = new TableName(this.db, this.tbl);
+ return tableName;
}
}
diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/TablePattern.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/TablePattern.java
index 7d1287dd48..6f6a3d393a 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/TablePattern.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/TablePattern.java
@@ -17,43 +17,33 @@
package org.apache.doris.analysis;
-import org.apache.doris.catalog.Catalog;
import org.apache.doris.cluster.ClusterNamespace;
import org.apache.doris.common.AnalysisException;
-import org.apache.doris.common.FeMetaVersion;
import org.apache.doris.common.FeNameFormat;
import org.apache.doris.common.io.Text;
import org.apache.doris.common.io.Writable;
-import org.apache.doris.datasource.InternalDataSource;
import org.apache.doris.mysql.privilege.PaloAuth.PrivLevel;
-import org.apache.doris.persist.gson.GsonUtils;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
-import com.google.gson.annotations.SerializedName;
import java.io.DataInput;
import java.io.DataOutput;
import java.io.IOException;
-/**
- * Three-segment-format: catalog.database.table. If the lower segment is specific,
- * the higher segment can't be a wildcard. The following examples are not allowed:
- * "ctl1.*.table1", "*.*.table2", "*.db1.*", ...
- */
+// only the following 3 formats are allowed
+// db.tbl
+// *.*
+// db.*
public class TablePattern implements Writable {
- @SerializedName(value = "ctl")
- private String ctl;
- @SerializedName(value = "db")
private String db;
- @SerializedName(value = "tbl")
private String tbl;
boolean isAnalyzed = false;
public static TablePattern ALL;
static {
- ALL = new TablePattern("*", "*", "*");
+ ALL = new TablePattern("*", "*");
try {
ALL.analyze("");
} catch (AnalysisException e) {
@@ -64,23 +54,11 @@ public class TablePattern implements Writable {
private TablePattern() {
}
- public TablePattern(String ctl, String db, String tbl) {
- this.ctl = Strings.isNullOrEmpty(ctl) ? "*" : ctl;
- this.db = Strings.isNullOrEmpty(db) ? "*" : db;
- this.tbl = Strings.isNullOrEmpty(tbl) ? "*" : tbl;
- }
-
public TablePattern(String db, String tbl) {
- this.ctl = null;
this.db = Strings.isNullOrEmpty(db) ? "*" : db;
this.tbl = Strings.isNullOrEmpty(tbl) ? "*" : tbl;
}
- public String getQualifiedCtl() {
- Preconditions.checkState(isAnalyzed);
- return ctl;
- }
-
public String getQualifiedDb() {
Preconditions.checkState(isAnalyzed);
return db;
@@ -92,39 +70,23 @@ public class TablePattern implements Writable {
public PrivLevel getPrivLevel() {
Preconditions.checkState(isAnalyzed);
- if (ctl.equals("*")) {
+ if (db.equals("*")) {
return PrivLevel.GLOBAL;
- } else if (db.equals("*")) {
- return PrivLevel.CATALOG;
- } else if (tbl.equals("*")) {
- return PrivLevel.DATABASE;
- } else {
+ } else if (!tbl.equals("*")) {
return PrivLevel.TABLE;
- }
- }
-
- public void analyze(Analyzer analyzer) throws AnalysisException {
- if (ctl == null) {
- analyze(analyzer.getDefaultCatalog(), analyzer.getClusterName());
} else {
- analyze(analyzer.getClusterName());
+ return PrivLevel.DATABASE;
}
}
- private void analyze(String catalogName, String clusterName) throws AnalysisException {
+ public void analyze(String clusterName) throws AnalysisException {
if (isAnalyzed) {
return;
}
- this.ctl = Strings.isNullOrEmpty(catalogName) ? InternalDataSource.INTERNAL_DS_NAME : catalogName;
- if ((!tbl.equals("*") && (db.equals("*") || ctl.equals("*")))
- || (!db.equals("*") && ctl.equals("*"))) {
+ if (db.equals("*") && !tbl.equals("*")) {
throw new AnalysisException("Do not support format: " + toString());
}
- if (!ctl.equals("*")) {
- FeNameFormat.checkCatalogName(ctl);
- }
-
if (!db.equals("*")) {
FeNameFormat.checkDbName(db);
db = ClusterNamespace.getFullName(clusterName, db);
@@ -136,21 +98,9 @@ public class TablePattern implements Writable {
isAnalyzed = true;
}
- public void analyze(String clusterName) throws AnalysisException {
- analyze(ctl, clusterName);
- }
-
public static TablePattern read(DataInput in) throws IOException {
- TablePattern tablePattern;
- if (Catalog.getCurrentCatalogJournalVersion() >= FeMetaVersion.VERSION_111) {
- tablePattern = GsonUtils.GSON.fromJson(Text.readString(in), TablePattern.class);
- } else {
- String ctl = InternalDataSource.INTERNAL_DS_NAME;
- String db = Text.readString(in);
- String tbl = Text.readString(in);
- tablePattern = new TablePattern(ctl, db, tbl);
- }
- tablePattern.isAnalyzed = true;
+ TablePattern tablePattern = new TablePattern();
+ tablePattern.readFields(in);
return tablePattern;
}
@@ -160,13 +110,12 @@ public class TablePattern implements Writable {
return false;
}
TablePattern other = (TablePattern) obj;
- return ctl.equals(other.getQualifiedCtl()) && db.equals(other.getQualifiedDb()) && tbl.equals(other.getTbl());
+ return db.equals(other.getQualifiedDb()) && tbl.equals(other.getTbl());
}
@Override
public int hashCode() {
int result = 17;
- result = 31 * result + ctl.hashCode();
result = 31 * result + db.hashCode();
result = 31 * result + tbl.hashCode();
return result;
@@ -174,13 +123,21 @@ public class TablePattern implements Writable {
@Override
public String toString() {
- return String.format("%s.%s.%s", ctl, db, tbl);
+ StringBuilder sb = new StringBuilder();
+ sb.append(db).append(".").append(tbl);
+ return sb.toString();
}
@Override
public void write(DataOutput out) throws IOException {
Preconditions.checkState(isAnalyzed);
- String json = GsonUtils.GSON.toJson(this);
- Text.writeString(out, json);
+ Text.writeString(out, db);
+ Text.writeString(out, tbl);
+ }
+
+ public void readFields(DataInput in) throws IOException {
+ db = Text.readString(in);
+ tbl = Text.readString(in);
+ isAnalyzed = true;
}
}
diff --git a/fe/fe-core/src/main/java/org/apache/doris/common/CaseSensibility.java b/fe/fe-core/src/main/java/org/apache/doris/common/CaseSensibility.java
index 6d5da6e65f..651581a3c6 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/common/CaseSensibility.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/common/CaseSensibility.java
@@ -22,7 +22,6 @@ package org.apache.doris.common;
**/
public enum CaseSensibility {
CLUSTER(true),
- CATALOG(true),
DATABASE(true),
TABLE(true),
ROLLUP(true),
diff --git a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java
index a8f73b9773..35dedadc30 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/common/ErrorCode.java
@@ -1686,7 +1686,7 @@ public enum ErrorCode {
+ "Use `SHOW PARTITIONS FROM %s` to see the currently partitions of this table. "),
ERROR_SQL_AND_LIMITATIONS_SET_IN_ONE_RULE(5084, new byte[]{'4', '2', '0', '0', '0'},
"sql/sqlHash and partition_num/tablet_num/cardinality cannot be set in one rule."),
- ERR_WRONG_CATALOG_NAME(5085, new byte[]{'4', '2', '0', '0', '0'}, "Incorrect catalog name '%s'");
+ ;
// This is error code
private final int code;
diff --git a/fe/fe-core/src/main/java/org/apache/doris/common/FeNameFormat.java b/fe/fe-core/src/main/java/org/apache/doris/common/FeNameFormat.java
index ea12ba5758..1f3db6a4a6 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/common/FeNameFormat.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/common/FeNameFormat.java
@@ -18,7 +18,6 @@
package org.apache.doris.common;
import org.apache.doris.alter.SchemaChangeHandler;
-import org.apache.doris.datasource.InternalDataSource;
import org.apache.doris.mysql.privilege.PaloRole;
import org.apache.doris.system.SystemInfoService;
@@ -43,13 +42,6 @@ public class FeNameFormat {
}
}
- public static void checkCatalogName(String catalogName) throws AnalysisException {
- if (!InternalDataSource.INTERNAL_DS_NAME.equals(catalogName)
- && (Strings.isNullOrEmpty(catalogName) || !catalogName.matches(COMMON_NAME_REGEX))) {
- ErrorReport.reportAnalysisException(ErrorCode.ERR_WRONG_CATALOG_NAME, catalogName);
- }
- }
-
public static void checkDbName(String dbName) throws AnalysisException {
if (Strings.isNullOrEmpty(dbName) || !dbName.matches(COMMON_NAME_REGEX)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_WRONG_DB_NAME, dbName);
diff --git a/fe/fe-core/src/main/java/org/apache/doris/common/proc/AuthProcDir.java b/fe/fe-core/src/main/java/org/apache/doris/common/proc/AuthProcDir.java
index 6f11b4dd4e..33e3b2854c 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/common/proc/AuthProcDir.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/common/proc/AuthProcDir.java
@@ -31,8 +31,8 @@ import com.google.common.collect.ImmutableList;
*/
public class AuthProcDir implements ProcDirInterface {
public static final ImmutableList<String> TITLE_NAMES = new ImmutableList.Builder<String>()
- .add("UserIdentity").add("Password").add("GlobalPrivs").add("CatalogPrivs")
- .add("DatabasePrivs").add("TablePrivs").add("ResourcePrivs").build();
+ .add("UserIdentity").add("Password").add("GlobalPrivs").add("DatabasePrivs")
+ .add("TablePrivs").add("ResourcePrivs").build();
private PaloAuth auth;
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/CatalogPrivEntry.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/CatalogPrivEntry.java
deleted file mode 100644
index 855c67e14c..0000000000
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/CatalogPrivEntry.java
+++ /dev/null
@@ -1,136 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-
-package org.apache.doris.mysql.privilege;
-
-import org.apache.doris.common.AnalysisException;
-import org.apache.doris.common.CaseSensibility;
-import org.apache.doris.common.PatternMatcher;
-import org.apache.doris.common.io.Text;
-
-import java.io.DataInput;
-import java.io.DataOutput;
-import java.io.IOException;
-
-public class CatalogPrivEntry extends PrivEntry {
- protected static final String ANY_CTL = "*";
-
- protected PatternMatcher ctlPattern;
- protected String origCtl;
- protected boolean isAnyCtl;
-
- protected CatalogPrivEntry() {
- }
-
- protected CatalogPrivEntry(PatternMatcher userPattern, String user,
- PatternMatcher hostPattern, String origHost,
- PatternMatcher ctlPattern, String origCtl,
- boolean isDomain, PrivBitSet privSet) {
- super(hostPattern, origHost, userPattern, user, isDomain, privSet);
- this.ctlPattern = ctlPattern;
- this.origCtl = origCtl;
- if (origCtl.equals(ANY_CTL)) {
- isAnyCtl = true;
- }
- }
-
- public static CatalogPrivEntry create(String user, String host, String ctl, boolean isDomain, PrivBitSet privs)
- throws AnalysisException {
- PatternMatcher hostPattern = PatternMatcher.createMysqlPattern(host, CaseSensibility.HOST.getCaseSensibility());
-
- PatternMatcher ctlPattern = createCtlPatternMatcher(ctl);
-
- PatternMatcher userPattern = PatternMatcher.createFlatPattern(user, CaseSensibility.USER.getCaseSensibility());
-
- if (privs.containsNodePriv() || privs.containsResourcePriv()) {
- throw new AnalysisException("Datasource privilege can not contains node or resource privileges: " + privs);
- }
-
- return new CatalogPrivEntry(userPattern, user, hostPattern, host, ctlPattern, ctl, isDomain, privs);
- }
-
- private static PatternMatcher createCtlPatternMatcher(String ctl) throws AnalysisException {
- boolean ctlCaseSensibility = CaseSensibility.CATALOG.getCaseSensibility();
- return PatternMatcher.createFlatPattern(ctl, ctlCaseSensibility, ctl.equals(ANY_CTL));
- }
-
- public PatternMatcher getCtlPattern() {
- return ctlPattern;
- }
-
- public String getOrigCtl() {
- return origCtl;
- }
-
- public boolean isAnyCtl() {
- return isAnyCtl;
- }
-
- @Override
- public int compareTo(PrivEntry other) {
- if (!(other instanceof CatalogPrivEntry)) {
- throw new ClassCastException("cannot cast " + other.getClass().toString() + " to " + this.getClass());
- }
-
- CatalogPrivEntry otherEntry = (CatalogPrivEntry) other;
- return compareAssist(origUser, otherEntry.origUser,
- origHost, otherEntry.origHost,
- origCtl, otherEntry.origCtl);
- }
-
- @Override
- public boolean keyMatch(PrivEntry other) {
- if (!(other instanceof CatalogPrivEntry)) {
- return false;
- }
-
- CatalogPrivEntry otherEntry = (CatalogPrivEntry) other;
- return origUser.equals(otherEntry.origUser) && origHost.equals(otherEntry.origHost)
- && origCtl.equals(otherEntry.origCtl) && isDomain == otherEntry.isDomain;
- }
-
- @Override
- public String toString() {
- return String.format("catalog privilege. user: %s, host: %s, ctl: %s, priv: %s, set by resolver: %b",
- origUser, origHost, origCtl, privSet.toString(), isSetByDomainResolver);
- }
-
- @Override
- public void write(DataOutput out) throws IOException {
- if (!isClassNameWrote) {
- String className = CatalogPrivEntry.class.getCanonicalName();
- Text.writeString(out, className);
- isClassNameWrote = true;
- }
- super.write(out);
- Text.writeString(out, origCtl);
- isClassNameWrote = false;
- }
-
- public void readFields(DataInput in) throws IOException {
- super.readFields(in);
-
- origCtl = Text.readString(in);
- try {
- ctlPattern = createCtlPatternMatcher(origCtl);
- } catch (AnalysisException e) {
- throw new IOException(e);
- }
- isAnyCtl = origCtl.equals(ANY_CTL);
- }
-
-}
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/CatalogPrivTable.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/CatalogPrivTable.java
deleted file mode 100644
index a1febfbf37..0000000000
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/CatalogPrivTable.java
+++ /dev/null
@@ -1,73 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-
-package org.apache.doris.mysql.privilege;
-
-import org.apache.doris.analysis.UserIdentity;
-import org.apache.doris.common.io.Text;
-
-import org.apache.logging.log4j.LogManager;
-import org.apache.logging.log4j.Logger;
-
-import java.io.DataOutput;
-import java.io.IOException;
-
-/*
- * CatalogPrivTable saves all catalog level privs
- */
-public class CatalogPrivTable extends PrivTable {
- private static final Logger LOG = LogManager.getLogger(CatalogPrivTable.class);
-
- /*
- * Return first priv which match the user@host on ctl.* The returned priv will be
- * saved in 'savedPrivs'.
- */
- public void getPrivs(UserIdentity currentUser, String ctl, PrivBitSet savedPrivs) {
- CatalogPrivEntry matchedEntry = null;
- for (PrivEntry entry : entries) {
- CatalogPrivEntry dsPrivEntry = (CatalogPrivEntry) entry;
-
- if (!dsPrivEntry.match(currentUser, true)) {
- continue;
- }
-
- // check catalog
- if (!dsPrivEntry.isAnyCtl() && !dsPrivEntry.getCtlPattern().match(ctl)) {
- continue;
- }
-
- matchedEntry = dsPrivEntry;
- break;
- }
- if (matchedEntry == null) {
- return;
- }
-
- savedPrivs.or(matchedEntry.getPrivSet());
- }
-
- @Override
- public void write(DataOutput out) throws IOException {
- if (!isClassNameWrote) {
- String className = CatalogPrivTable.class.getCanonicalName();
- Text.writeString(out, className);
- isClassNameWrote = true;
- }
-
- super.write(out);
- }
-}
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/DbPrivEntry.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/DbPrivEntry.java
index 826bbe2a98..a8f1337df7 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/DbPrivEntry.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/DbPrivEntry.java
@@ -28,7 +28,7 @@ import java.io.DataInput;
import java.io.DataOutput;
import java.io.IOException;
-public class DbPrivEntry extends CatalogPrivEntry {
+public class DbPrivEntry extends PrivEntry {
protected static final String ANY_DB = "*";
protected PatternMatcher dbPattern;
@@ -38,12 +38,9 @@ public class DbPrivEntry extends CatalogPrivEntry {
protected DbPrivEntry() {
}
- protected DbPrivEntry(PatternMatcher userPattern, String user,
- PatternMatcher hostPattern, String origHost,
- PatternMatcher ctlPattern, String origCtl,
- PatternMatcher dbPattern, String origDb,
- boolean isDomain, PrivBitSet privSet) {
- super(userPattern, user, hostPattern, origHost, ctlPattern, origCtl, isDomain, privSet);
+ protected DbPrivEntry(PatternMatcher hostPattern, String origHost, PatternMatcher dbPattern, String origDb,
+ PatternMatcher userPattern, String user, boolean isDomain, PrivBitSet privSet) {
+ super(hostPattern, origHost, userPattern, user, isDomain, privSet);
this.dbPattern = dbPattern;
this.origDb = origDb;
if (origDb.equals(ANY_DB)) {
@@ -51,15 +48,10 @@ public class DbPrivEntry extends CatalogPrivEntry {
}
}
- public static DbPrivEntry create(
- String user, String host,
- String ctl, String db,
- boolean isDomain, PrivBitSet privs) throws AnalysisException {
+ public static DbPrivEntry create(String host, String db, String user, boolean isDomain, PrivBitSet privs)
+ throws AnalysisException {
PatternMatcher hostPattern = PatternMatcher.createMysqlPattern(host, CaseSensibility.HOST.getCaseSensibility());
- PatternMatcher ctlPattern = PatternMatcher.createFlatPattern(
- ctl, CaseSensibility.CATALOG.getCaseSensibility(), ctl.equals(ANY_CTL));
-
PatternMatcher dbPattern = createDbPatternMatcher(db);
PatternMatcher userPattern = PatternMatcher.createFlatPattern(user, CaseSensibility.USER.getCaseSensibility());
@@ -68,7 +60,7 @@ public class DbPrivEntry extends CatalogPrivEntry {
throw new AnalysisException("Db privilege can not contains global or resource privileges: " + privs);
}
- return new DbPrivEntry(userPattern, user, hostPattern, host, ctlPattern, ctl, dbPattern, db, isDomain, privs);
+ return new DbPrivEntry(hostPattern, host, dbPattern, db, userPattern, user, isDomain, privs);
}
private static PatternMatcher createDbPatternMatcher(String db) throws AnalysisException {
@@ -100,10 +92,17 @@ public class DbPrivEntry extends CatalogPrivEntry {
}
DbPrivEntry otherEntry = (DbPrivEntry) other;
- return compareAssist(origUser, otherEntry.origUser,
- origHost, otherEntry.origHost,
- origCtl, otherEntry.origCtl,
- origDb, otherEntry.origDb);
+ int res = origHost.compareTo(otherEntry.origHost);
+ if (res != 0) {
+ return -res;
+ }
+
+ res = origDb.compareTo(otherEntry.origDb);
+ if (res != 0) {
+ return -res;
+ }
+
+ return -origUser.compareTo(otherEntry.origUser);
}
@Override
@@ -113,15 +112,20 @@ public class DbPrivEntry extends CatalogPrivEntry {
}
DbPrivEntry otherEntry = (DbPrivEntry) other;
- return origUser.equals(otherEntry.origUser) && origHost.equals(otherEntry.origHost)
- && origCtl.equals(otherEntry.origCtl) && origDb.equals(otherEntry.origDb)
- && isDomain == otherEntry.isDomain;
+ if (origHost.equals(otherEntry.origHost) && origUser.equals(otherEntry.origUser)
+ && origDb.equals(otherEntry.origDb) && isDomain == otherEntry.isDomain) {
+ return true;
+ }
+ return false;
}
@Override
public String toString() {
- return String.format("database privilege. user: %s, host: %s, ctl: %s, db: %s, priv: %s, set by resolver: %b",
- origUser, origHost, origCtl, origDb, privSet.toString(), isSetByDomainResolver);
+ StringBuilder sb = new StringBuilder();
+ sb.append("db priv. host: ").append(origHost).append(", db: ").append(origDb);
+ sb.append(", user: ").append(origUser);
+ sb.append(", priv: ").append(privSet).append(", set by resolver: ").append(isSetByDomainResolver);
+ return sb.toString();
}
@Override
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/DbPrivTable.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/DbPrivTable.java
index 87ef9ad50e..a16c8dab9f 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/DbPrivTable.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/DbPrivTable.java
@@ -34,10 +34,10 @@ public class DbPrivTable extends PrivTable {
private static final Logger LOG = LogManager.getLogger(DbPrivTable.class);
/*
- * Return first priv which match the user@host on ctl.db.* The returned priv will be
+ * Return first priv which match the user@host on db.* The returned priv will be
* saved in 'savedPrivs'.
*/
- public void getPrivs(UserIdentity currentUser, String ctl, String db, PrivBitSet savedPrivs) {
+ public void getPrivs(UserIdentity currentUser, String db, PrivBitSet savedPrivs) {
DbPrivEntry matchedEntry = null;
for (PrivEntry entry : entries) {
DbPrivEntry dbPrivEntry = (DbPrivEntry) entry;
@@ -46,11 +46,6 @@ public class DbPrivTable extends PrivTable {
continue;
}
- // check catalog
- if (!dbPrivEntry.isAnyCtl() && !dbPrivEntry.getCtlPattern().match(ctl)) {
- continue;
- }
-
// check db
if (!dbPrivEntry.isAnyDb() && !dbPrivEntry.getDbPattern().match(db)) {
continue;
@@ -66,6 +61,28 @@ public class DbPrivTable extends PrivTable {
savedPrivs.or(matchedEntry.getPrivSet());
}
+ /*
+ * Check if user@host has specified privilege on any database
+ */
+ public boolean hasPriv(String host, String user, PrivPredicate wanted) {
+ for (PrivEntry entry : entries) {
+ DbPrivEntry dbPrivEntry = (DbPrivEntry) entry;
+ // check host
+ if (!dbPrivEntry.isAnyHost() && !dbPrivEntry.getHostPattern().match(host)) {
+ continue;
+ }
+ // check user
+ if (!dbPrivEntry.isAnyUser() && !dbPrivEntry.getUserPattern().match(user)) {
+ continue;
+ }
+ // check priv
+ if (dbPrivEntry.privSet.satisfy(wanted)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
public boolean hasClusterPriv(ConnectContext ctx, String clusterName) {
for (PrivEntry entry : entries) {
DbPrivEntry dbPrivEntry = (DbPrivEntry) entry;
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PaloAuth.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PaloAuth.java
index 9459f14ed9..2dcb317ff8 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PaloAuth.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PaloAuth.java
@@ -27,7 +27,6 @@ import org.apache.doris.analysis.RevokeStmt;
import org.apache.doris.analysis.SetLdapPassVar;
import org.apache.doris.analysis.SetPassVar;
import org.apache.doris.analysis.SetUserPropertyStmt;
-import org.apache.doris.analysis.TableName;
import org.apache.doris.analysis.TablePattern;
import org.apache.doris.analysis.UserIdentity;
import org.apache.doris.catalog.AuthorizationInfo;
@@ -43,7 +42,6 @@ import org.apache.doris.common.LdapConfig;
import org.apache.doris.common.Pair;
import org.apache.doris.common.UserException;
import org.apache.doris.common.io.Writable;
-import org.apache.doris.datasource.InternalDataSource;
import org.apache.doris.ldap.LdapPrivsChecker;
import org.apache.doris.load.DppConfig;
import org.apache.doris.persist.LdapInfo;
@@ -55,7 +53,6 @@ import org.apache.doris.thrift.TPrivilegeStatus;
import com.google.common.base.Joiner;
import com.google.common.base.Preconditions;
-import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import org.apache.logging.log4j.LogManager;
@@ -68,7 +65,6 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.locks.ReentrantReadWriteLock;
-import java.util.stream.Collectors;
public class PaloAuth implements Writable {
private static final Logger LOG = LogManager.getLogger(PaloAuth.class);
@@ -79,10 +75,8 @@ public class PaloAuth implements Writable {
public static final String ADMIN_USER = "admin";
// unknown user does not have any privilege, this is just to be compatible with old version.
public static final String UNKNOWN_USER = "unknown";
- private static final String DEFAULT_CATALOG = InternalDataSource.INTERNAL_DS_NAME;
private UserPrivTable userPrivTable = new UserPrivTable();
- private CatalogPrivTable catalogPrivTable = new CatalogPrivTable();
private DbPrivTable dbPrivTable = new DbPrivTable();
private TablePrivTable tablePrivTable = new TablePrivTable();
private ResourcePrivTable resourcePrivTable = new ResourcePrivTable();
@@ -111,7 +105,7 @@ public class PaloAuth implements Writable {
}
public enum PrivLevel {
- GLOBAL, CATALOG, DATABASE, TABLE, RESOURCE
+ GLOBAL, DATABASE, TABLE, RESOURCE
}
public PaloAuth() {
@@ -171,39 +165,12 @@ public class PaloAuth implements Writable {
false /* not delete entry if priv is empty, because global priv entry has password */);
}
- private void grantCatalogPrivs(UserIdentity userIdentity, String ctl,
- boolean errOnExist, boolean errOnNonExist, PrivBitSet privs) throws DdlException {
- CatalogPrivEntry entry;
- try {
- entry = CatalogPrivEntry.create(userIdentity.getQualifiedUser(), userIdentity.getHost(),
- ctl, userIdentity.isDomain(), privs);
- entry.setSetByDomainResolver(false);
- } catch (AnalysisException e) {
- throw new DdlException(e.getMessage());
- }
- catalogPrivTable.addEntry(entry, errOnExist, errOnNonExist);
- }
-
- private void revokeCatalogPrivs(UserIdentity userIdentity, String ctl,
- PrivBitSet privs, boolean errOnNonExist) throws DdlException {
- CatalogPrivEntry entry;
- try {
- entry = CatalogPrivEntry.create(userIdentity.getQualifiedUser(), userIdentity.getHost(),
- ctl, userIdentity.isDomain(), privs);
- entry.setSetByDomainResolver(false);
- } catch (AnalysisException e) {
- throw new DdlException(e.getMessage());
- }
-
- catalogPrivTable.revoke(entry, errOnNonExist, true /* delete entry when empty */);
- }
-
- private void grantDbPrivs(UserIdentity userIdentity, String ctl, String db,
- boolean errOnExist, boolean errOnNonExist, PrivBitSet privs) throws DdlException {
+ private void grantDbPrivs(UserIdentity userIdentity, String db, boolean errOnExist, boolean errOnNonExist,
+ PrivBitSet privs) throws DdlException {
DbPrivEntry entry;
try {
- entry = DbPrivEntry.create(userIdentity.getQualifiedUser(), userIdentity.getHost(),
- ctl, db, userIdentity.isDomain(), privs);
+ entry = DbPrivEntry.create(userIdentity.getHost(), db, userIdentity.getQualifiedUser(),
+ userIdentity.isDomain(), privs);
entry.setSetByDomainResolver(false);
} catch (AnalysisException e) {
throw new DdlException(e.getMessage());
@@ -211,12 +178,12 @@ public class PaloAuth implements Writable {
dbPrivTable.addEntry(entry, errOnExist, errOnNonExist);
}
- private void revokeDbPrivs(UserIdentity userIdentity, String ctl, String db,
- PrivBitSet privs, boolean errOnNonExist) throws DdlException {
+ private void revokeDbPrivs(UserIdentity userIdentity, String db, PrivBitSet privs, boolean errOnNonExist)
+ throws DdlException {
DbPrivEntry entry;
try {
- entry = DbPrivEntry.create(userIdentity.getQualifiedUser(), userIdentity.getHost(),
- ctl, db, userIdentity.isDomain(), privs);
+ entry = DbPrivEntry.create(userIdentity.getHost(), db, userIdentity.getQualifiedUser(),
+ userIdentity.isDomain(), privs);
entry.setSetByDomainResolver(false);
} catch (AnalysisException e) {
throw new DdlException(e.getMessage());
@@ -225,12 +192,12 @@ public class PaloAuth implements Writable {
dbPrivTable.revoke(entry, errOnNonExist, true /* delete entry when empty */);
}
- private void grantTblPrivs(UserIdentity userIdentity, String ctl, String db, String tbl,
- boolean errOnExist, boolean errOnNonExist, PrivBitSet privs) throws DdlException {
+ private void grantTblPrivs(UserIdentity userIdentity, String db, String tbl, boolean errOnExist,
+ boolean errOnNonExist, PrivBitSet privs) throws DdlException {
TablePrivEntry entry;
try {
- entry = TablePrivEntry.create(userIdentity.getQualifiedUser(), userIdentity.getHost(),
- ctl, db, tbl, userIdentity.isDomain(), privs);
+ entry = TablePrivEntry.create(userIdentity.getHost(), db, userIdentity.getQualifiedUser(), tbl,
+ userIdentity.isDomain(), privs);
entry.setSetByDomainResolver(false);
} catch (AnalysisException e) {
throw new DdlException(e.getMessage());
@@ -238,12 +205,12 @@ public class PaloAuth implements Writable {
tablePrivTable.addEntry(entry, errOnExist, errOnNonExist);
}
- private void revokeTblPrivs(UserIdentity userIdentity, String ctl, String db, String tbl,
- PrivBitSet privs, boolean errOnNonExist) throws DdlException {
+ private void revokeTblPrivs(UserIdentity userIdentity, String db, String tbl, PrivBitSet privs,
+ boolean errOnNonExist) throws DdlException {
TablePrivEntry entry;
try {
- entry = TablePrivEntry.create(userIdentity.getQualifiedUser(), userIdentity.getHost(),
- ctl, db, tbl, userIdentity.isDomain(), privs);
+ entry = TablePrivEntry.create(userIdentity.getHost(), db, userIdentity.getQualifiedUser(), tbl,
+ userIdentity.isDomain(), privs);
entry.setSetByDomainResolver(false);
} catch (AnalysisException e) {
throw new DdlException(e.getMessage());
@@ -357,15 +324,11 @@ public class PaloAuth implements Writable {
return checkDbPriv(ctx.getCurrentUserIdentity(), qualifiedDb, wanted);
}
- public boolean checkDbPriv(UserIdentity currentUser, String db, PrivPredicate wanted) {
- return checkDbPriv(currentUser, DEFAULT_CATALOG, db, wanted);
- }
-
/*
* Check if 'user'@'host' on 'db' has 'wanted' priv.
* If the given db is null, which means it will no check if database name is matched.
*/
- public boolean checkDbPriv(UserIdentity currentUser, String ctl, String db, PrivPredicate wanted) {
+ public boolean checkDbPriv(UserIdentity currentUser, String db, PrivPredicate wanted) {
if (!Config.enable_auth_check) {
return true;
}
@@ -377,13 +340,12 @@ public class PaloAuth implements Writable {
PrivBitSet savedPrivs = PrivBitSet.of();
if (checkGlobalInternal(currentUser, wanted, savedPrivs)
- || checkCatalogInternal(currentUser, ctl, wanted, savedPrivs)
- || checkDbInternal(currentUser, ctl, db, wanted, savedPrivs)) {
+ || checkDbInternal(currentUser, db, wanted, savedPrivs)) {
return true;
}
// if user has any privs of table in this db, and the wanted priv is SHOW, return true
- if (ctl != null && db != null && wanted == PrivPredicate.SHOW && checkTblWithDb(currentUser, ctl, db)) {
+ if (db != null && wanted == PrivPredicate.SHOW && checkTblWithDb(currentUser, db)) {
return true;
}
@@ -396,31 +358,21 @@ public class PaloAuth implements Writable {
* So we have to check if user has any privs of tables in this database.
* if so, the database should be visible to this user.
*/
- private boolean checkTblWithDb(UserIdentity currentUser, String ctl, String db) {
+ private boolean checkTblWithDb(UserIdentity currentUser, String db) {
readLock();
try {
return (isLdapAuthEnabled() && LdapPrivsChecker.hasPrivsOfDb(currentUser, db))
- || tablePrivTable.hasPrivsOfDb(currentUser, ctl, db);
+ || tablePrivTable.hasPrivsOfDb(currentUser, db);
} finally {
readUnlock();
}
}
- public boolean checkTblPriv(ConnectContext ctx, String qualifiedCtl,
- String qualifiedDb, String tbl, PrivPredicate wanted) {
- return checkTblPriv(ctx.getCurrentUserIdentity(), qualifiedCtl, qualifiedDb, tbl, wanted);
- }
-
public boolean checkTblPriv(ConnectContext ctx, String qualifiedDb, String tbl, PrivPredicate wanted) {
- return checkTblPriv(ctx, DEFAULT_CATALOG, qualifiedDb, tbl, wanted);
+ return checkTblPriv(ctx.getCurrentUserIdentity(), qualifiedDb, tbl, wanted);
}
- public boolean checkTblPriv(ConnectContext ctx, TableName tableName, PrivPredicate wanted) {
- Preconditions.checkState(tableName.isFullyQualified());
- return checkTblPriv(ctx, tableName.getCtl(), tableName.getDb(), wanted);
- }
-
- public boolean checkTblPriv(UserIdentity currentUser, String ctl, String db, String tbl, PrivPredicate wanted) {
+ public boolean checkTblPriv(UserIdentity currentUser, String db, String tbl, PrivPredicate wanted) {
if (!Config.enable_auth_check) {
return true;
}
@@ -431,9 +383,8 @@ public class PaloAuth implements Writable {
PrivBitSet savedPrivs = PrivBitSet.of();
if (checkGlobalInternal(currentUser, wanted, savedPrivs)
- || checkCatalogInternal(currentUser, ctl, wanted, savedPrivs)
- || checkDbInternal(currentUser, ctl, db, wanted, savedPrivs)
- || checkTblInternal(currentUser, ctl, db, tbl, wanted, savedPrivs)) {
+ || checkDbInternal(currentUser, db, wanted, savedPrivs)
+ || checkTblInternal(currentUser, db, tbl, wanted, savedPrivs)) {
return true;
}
@@ -441,10 +392,6 @@ public class PaloAuth implements Writable {
return false;
}
- public boolean checkTblPriv(UserIdentity currentUser, String db, String tbl, PrivPredicate wanted) {
- return checkTblPriv(currentUser, DEFAULT_CATALOG, db, tbl, wanted);
- }
-
public boolean checkResourcePriv(ConnectContext ctx, String resourceName, PrivPredicate wanted) {
return checkResourcePriv(ctx.getCurrentUserIdentity(), resourceName, wanted);
}
@@ -538,22 +485,7 @@ public class PaloAuth implements Writable {
}
}
- private boolean checkCatalogInternal(UserIdentity currentUser, String ctl,
- PrivPredicate wanted, PrivBitSet savedPrivs) {
- // TODO(gaoxin): check privileges by ldap.
- readLock();
- try {
- catalogPrivTable.getPrivs(currentUser, ctl, savedPrivs);
- if (PaloPrivilege.satisfy(savedPrivs, wanted)) {
- return true;
- }
- } finally {
- readUnlock();
- }
- return false;
- }
-
- private boolean checkDbInternal(UserIdentity currentUser, String ctl, String db, PrivPredicate wanted,
+ private boolean checkDbInternal(UserIdentity currentUser, String db, PrivPredicate wanted,
PrivBitSet savedPrivs) {
if (isLdapAuthEnabled() && LdapPrivsChecker.hasDbPrivFromLdap(currentUser, db, wanted)) {
return true;
@@ -561,7 +493,7 @@ public class PaloAuth implements Writable {
readLock();
try {
- dbPrivTable.getPrivs(currentUser, ctl, db, savedPrivs);
+ dbPrivTable.getPrivs(currentUser, db, savedPrivs);
if (PaloPrivilege.satisfy(savedPrivs, wanted)) {
return true;
}
@@ -571,7 +503,7 @@ public class PaloAuth implements Writable {
return false;
}
- private boolean checkTblInternal(UserIdentity currentUser, String ctl, String db, String tbl,
+ private boolean checkTblInternal(UserIdentity currentUser, String db, String tbl,
PrivPredicate wanted, PrivBitSet savedPrivs) {
if (isLdapAuthEnabled() && LdapPrivsChecker.hasTblPrivFromLdap(currentUser, db, tbl, wanted)) {
return true;
@@ -579,7 +511,7 @@ public class PaloAuth implements Writable {
readLock();
try {
- tablePrivTable.getPrivs(currentUser, ctl, db, tbl, savedPrivs);
+ tablePrivTable.getPrivs(currentUser, db, tbl, savedPrivs);
if (PaloPrivilege.satisfy(savedPrivs, wanted)) {
return true;
}
@@ -675,7 +607,7 @@ public class PaloAuth implements Writable {
if (!userIdent.getQualifiedUser().equals(ROOT_USER) && !userIdent.getQualifiedUser().equals(ADMIN_USER)) {
// grant read privs to database information_schema
- TablePattern tblPattern = new TablePattern(DEFAULT_CATALOG, InfoSchemaDb.DATABASE_NAME, "*");
+ TablePattern tblPattern = new TablePattern(InfoSchemaDb.DATABASE_NAME, "*");
try {
tblPattern.analyze(ClusterNamespace.getClusterNameFromFullName(userIdent.getQualifiedUser()));
} catch (AnalysisException e) {
@@ -749,7 +681,6 @@ public class PaloAuth implements Writable {
// we don't check if user exists
userPrivTable.dropUser(userIdent);
- catalogPrivTable.dropUser(userIdent);
dbPrivTable.dropUser(userIdent);
tablePrivTable.dropUser(userIdent);
resourcePrivTable.dropUser(userIdent);
@@ -884,22 +815,14 @@ public class PaloAuth implements Writable {
errOnNonExist,
privs);
break;
- case CATALOG:
- grantCatalogPrivs(userIdent, tblPattern.getQualifiedCtl(),
- false /* err on exist */,
- false /* err on non exist */,
- privs);
- break;
case DATABASE:
- grantDbPrivs(userIdent, tblPattern.getQualifiedCtl(),
- tblPattern.getQualifiedDb(),
+ grantDbPrivs(userIdent, tblPattern.getQualifiedDb(),
false /* err on exist */,
false /* err on non exist */,
privs);
break;
case TABLE:
- grantTblPrivs(userIdent, tblPattern.getQualifiedCtl(),
- tblPattern.getQualifiedDb(),
+ grantTblPrivs(userIdent, tblPattern.getQualifiedDb(),
tblPattern.getTbl(),
false /* err on exist */,
false /* err on non exist */,
@@ -1048,16 +971,12 @@ public class PaloAuth implements Writable {
case GLOBAL:
revokeGlobalPrivs(userIdent, privs, errOnNonExist);
break;
- case CATALOG:
- revokeCatalogPrivs(userIdent, tblPattern.getQualifiedCtl(), privs, errOnNonExist);
- break;
case DATABASE:
- revokeDbPrivs(userIdent, tblPattern.getQualifiedCtl(),
- tblPattern.getQualifiedDb(), privs, errOnNonExist);
+ revokeDbPrivs(userIdent, tblPattern.getQualifiedDb(), privs, errOnNonExist);
break;
case TABLE:
- revokeTblPrivs(userIdent, tblPattern.getQualifiedCtl(), tblPattern.getQualifiedDb(),
- tblPattern.getTbl(), privs, errOnNonExist);
+ revokeTblPrivs(userIdent, tblPattern.getQualifiedDb(), tblPattern.getTbl(), privs,
+ errOnNonExist);
break;
default:
Preconditions.checkNotNull(null, tblPattern.getPrivLevel());
@@ -1392,17 +1311,6 @@ public class PaloAuth implements Writable {
}
}
- // catalog
- String ctlPrivs = catalogPrivTable.entries.stream()
- .filter(entry -> entry.match(userIdent, true))
- .map(entry -> String.format("%s: %s (%b)",
- ((CatalogPrivEntry) entry).getOrigCtl(), entry.privSet, entry.isSetByDomainResolver()))
- .collect(Collectors.joining("; "));
- if (Strings.isNullOrEmpty(ctlPrivs)) {
- ctlPrivs = FeConstants.null_string;
- }
- userAuthInfo.add(ctlPrivs);
-
// db
List<String> dbPrivs = Lists.newArrayList();
Set<String> addedDbs = Sets.newHashSet();
@@ -1418,16 +1326,16 @@ public class PaloAuth implements Writable {
PrivBitSet savedPrivs = dEntry.getPrivSet().copy();
savedPrivs.or(LdapPrivsChecker.getDbPrivFromLdap(userIdent, dEntry.getOrigDb()));
addedDbs.add(dEntry.getOrigDb());
- dbPrivs.add(String.format("%s.%s: %s (%b)", dEntry.getOrigCtl(), dEntry.getOrigDb(),
- savedPrivs, dEntry.isSetByDomainResolver()));
+ dbPrivs.add(dEntry.getOrigDb() + ": " + savedPrivs.toString()
+ + " (" + entry.isSetByDomainResolver() + ")");
}
// Add privs from ldap groups that have not been added in Doris.
if (LdapPrivsChecker.hasLdapPrivs(userIdent)) {
Map<TablePattern, PrivBitSet> ldapDbPrivs = LdapPrivsChecker.getLdapAllDbPrivs(userIdent);
for (Map.Entry<TablePattern, PrivBitSet> entry : ldapDbPrivs.entrySet()) {
if (!addedDbs.contains(entry.getKey().getQualifiedDb())) {
- dbPrivs.add(String.format("%s.%s: %s (%b)", entry.getKey().getQualifiedCtl(),
- entry.getKey().getQualifiedDb(), entry.getValue(), false));
+ dbPrivs.add(entry.getKey().getQualifiedDb() + ": "
+ + entry.getValue().toString() + " (" + false + ")");
}
}
}
@@ -1453,15 +1361,17 @@ public class PaloAuth implements Writable {
PrivBitSet savedPrivs = tEntry.getPrivSet().copy();
savedPrivs.or(LdapPrivsChecker.getTblPrivFromLdap(userIdent, tEntry.getOrigDb(), tEntry.getOrigTbl()));
addedtbls.add(tEntry.getOrigDb().concat(".").concat(tEntry.getOrigTbl()));
- tblPrivs.add(String.format("%s.%s.%s: %s (%b)", tEntry.getOrigCtl(), tEntry.getOrigDb(),
- tEntry.getOrigTbl(), savedPrivs, tEntry.isSetByDomainResolver()));
+ tblPrivs.add(tEntry.getOrigDb() + "." + tEntry.getOrigTbl() + ": "
+ + savedPrivs.toString()
+ + " (" + entry.isSetByDomainResolver() + ")");
}
// Add privs from ldap groups that have not been added in Doris.
if (LdapPrivsChecker.hasLdapPrivs(userIdent)) {
Map<TablePattern, PrivBitSet> ldapTblPrivs = LdapPrivsChecker.getLdapAllTblPrivs(userIdent);
for (Map.Entry<TablePattern, PrivBitSet> entry : ldapTblPrivs.entrySet()) {
if (!addedtbls.contains(entry.getKey().getQualifiedDb().concat(".").concat(entry.getKey().getTbl()))) {
- tblPrivs.add(String.format("%s: %s (%b)", entry.getKey(), entry.getValue(), false));
+ tblPrivs.add(entry.getKey().getQualifiedDb().concat(".").concat(entry.getKey().getTbl())
+ .concat(": ").concat(entry.getValue().toString()).concat(" (false)"));
}
}
}
@@ -1752,7 +1662,6 @@ public class PaloAuth implements Writable {
// role manager must be first, because role should be exist before any user
roleManager.write(out);
userPrivTable.write(out);
- catalogPrivTable.write(out);
dbPrivTable.write(out);
tablePrivTable.write(out);
resourcePrivTable.write(out);
@@ -1763,13 +1672,6 @@ public class PaloAuth implements Writable {
public void readFields(DataInput in) throws IOException {
roleManager = RoleManager.read(in);
userPrivTable = (UserPrivTable) PrivTable.read(in);
- if (Catalog.getCurrentCatalogJournalVersion() >= FeMetaVersion.VERSION_111) {
- catalogPrivTable = (CatalogPrivTable) PrivTable.read(in);
- } else {
- catalogPrivTable = userPrivTable.degradeToInternalCatalogPriv();
- LOG.info("Load PaloAuth from meta version < {}, degrade UserPrivTable to CatalogPrivTable",
- FeMetaVersion.VERSION_111);
- }
dbPrivTable = (DbPrivTable) PrivTable.read(in);
tablePrivTable = (TablePrivTable) PrivTable.read(in);
resourcePrivTable = (ResourcePrivTable) PrivTable.read(in);
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivEntry.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivEntry.java
index 8f59a59777..906c29b6da 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivEntry.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivEntry.java
@@ -24,7 +24,6 @@ import org.apache.doris.common.PatternMatcher;
import org.apache.doris.common.io.Text;
import org.apache.doris.common.io.Writable;
-import com.google.common.base.Preconditions;
import org.apache.commons.lang.NotImplementedException;
import java.io.DataInput;
@@ -254,19 +253,4 @@ public abstract class PrivEntry implements Comparable<PrivEntry>, Writable {
public int compareTo(PrivEntry o) {
throw new NotImplementedException();
}
-
- /**
- * Help derived classes compare in the order of 'user', 'host', 'catalog', 'db', 'ctl'.
- * Compare strings[i] with strings[i+1] successively, return if the comparison value is not 0 in current loop.
- */
- protected static int compareAssist(String... strings) {
- Preconditions.checkState(strings.length % 2 == 0);
- for (int i = 0; i < strings.length; i += 2) {
- int res = strings[i].compareTo(strings[i + 1]);
- if (res != 0) {
- return res;
- }
- }
- return 0;
- }
}
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivTable.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivTable.java
index 054ca2e62e..ce2f7738c3 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivTable.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivTable.java
@@ -45,27 +45,6 @@ public abstract class PrivTable implements Writable {
// see PrivEntry for more detail
protected boolean isClassNameWrote = false;
- /*
- * Check if user@host has specified privilege
- */
- public boolean hasPriv(String host, String user, PrivPredicate wanted) {
- for (PrivEntry entry : entries) {
- // check host
- if (!entry.isAnyHost() && !entry.getHostPattern().match(host)) {
- continue;
- }
- // check user
- if (!entry.isAnyUser() && !entry.getUserPattern().match(user)) {
- continue;
- }
- // check priv
- if (entry.privSet.satisfy(wanted)) {
- return true;
- }
- }
- return false;
- }
-
/*
* Add an entry to priv table.
* If entry already exists and errOnExist is false, we try to reset or merge the new priv entry with existing one.
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/RoleManager.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/RoleManager.java
index 19e0c703f0..38a0683228 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/RoleManager.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/RoleManager.java
@@ -26,7 +26,6 @@ import org.apache.doris.common.io.Writable;
import org.apache.doris.mysql.privilege.PaloAuth.PrivLevel;
import com.google.common.base.Joiner;
-import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
@@ -35,9 +34,6 @@ import java.io.DataOutput;
import java.io.IOException;
import java.util.List;
import java.util.Map;
-import java.util.Map.Entry;
-import java.util.stream.Collectors;
-import java.util.stream.Stream;
public class RoleManager implements Writable {
private Map<String, PaloRole> roles = Maps.newHashMap();
@@ -136,26 +132,60 @@ public class RoleManager implements Writable {
info.add(role.getRoleName());
info.add(Joiner.on(", ").join(role.getUsers()));
- Map<PrivLevel, String> infoMap = role.getTblPatternToPrivs().entrySet().stream()
- .collect(Collectors.groupingBy(entry -> entry.getKey().getPrivLevel())).entrySet().stream()
- .collect(Collectors.toMap(Entry::getKey, entry -> {
- if (entry.getKey() == PrivLevel.GLOBAL) {
- return entry.getValue().stream().findFirst().map(priv -> priv.getValue().toString())
- .orElse(FeConstants.null_string);
- } else {
- return entry.getValue().stream()
- .map(priv -> priv.getKey() + ": " + priv.getValue())
- .collect(Collectors.joining("; "));
- }
- }));
- Stream.of(PrivLevel.GLOBAL, PrivLevel.CATALOG, PrivLevel.DATABASE, PrivLevel.TABLE, PrivLevel.RESOURCE)
- .forEach(level -> {
- String infoItem = infoMap.get(level);
- if (Strings.isNullOrEmpty(infoItem)) {
- infoItem = FeConstants.null_string;
- }
- info.add(infoItem);
- });
+ // global
+ boolean hasGlobal = false;
+ for (Map.Entry<TablePattern, PrivBitSet> entry : role.getTblPatternToPrivs().entrySet()) {
+ if (entry.getKey().getPrivLevel() == PrivLevel.GLOBAL) {
+ hasGlobal = true;
+ info.add(entry.getValue().toString());
+ // global priv should only has one
+ break;
+ }
+ }
+ if (!hasGlobal) {
+ info.add(FeConstants.null_string);
+ }
+
+ // db
+ List<String> tmp = Lists.newArrayList();
+ for (Map.Entry<TablePattern, PrivBitSet> entry : role.getTblPatternToPrivs().entrySet()) {
+ if (entry.getKey().getPrivLevel() == PrivLevel.DATABASE) {
+ tmp.add(entry.getKey().toString() + ": " + entry.getValue().toString());
+ }
+ }
+ if (tmp.isEmpty()) {
+ info.add(FeConstants.null_string);
+ } else {
+ info.add(Joiner.on("; ").join(tmp));
+ }
+
+
+ // tbl
+ tmp.clear();
+ for (Map.Entry<TablePattern, PrivBitSet> entry : role.getTblPatternToPrivs().entrySet()) {
+ if (entry.getKey().getPrivLevel() == PrivLevel.TABLE) {
+ tmp.add(entry.getKey().toString() + ": " + entry.getValue().toString());
+ }
+ }
+ if (tmp.isEmpty()) {
+ info.add(FeConstants.null_string);
+ } else {
+ info.add(Joiner.on("; ").join(tmp));
+ }
+
+ // resource
+ tmp.clear();
+ for (Map.Entry<ResourcePattern, PrivBitSet> entry : role.getResourcePatternToPrivs().entrySet()) {
+ if (entry.getKey().getPrivLevel() == PrivLevel.RESOURCE) {
+ tmp.add(entry.getKey().toString() + ": " + entry.getValue().toString());
+ }
+ }
+ if (tmp.isEmpty()) {
+ info.add(FeConstants.null_string);
+ } else {
+ info.add(Joiner.on("; ").join(tmp));
+ }
+
results.add(info);
}
}
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/TablePrivEntry.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/TablePrivEntry.java
index 7304d31922..c85a1f2912 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/TablePrivEntry.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/TablePrivEntry.java
@@ -36,13 +36,10 @@ public class TablePrivEntry extends DbPrivEntry {
protected TablePrivEntry() {
}
- private TablePrivEntry(PatternMatcher userPattern, String user,
- PatternMatcher hostPattern, String origHost,
- PatternMatcher ctlPattern, String origCtl,
- PatternMatcher dbPattern, String origDb,
- PatternMatcher tblPattern, String origTbl,
- boolean isDomain, PrivBitSet privSet) {
- super(userPattern, user, hostPattern, origHost, ctlPattern, origCtl, dbPattern, origDb, isDomain, privSet);
+ private TablePrivEntry(PatternMatcher hostPattern, String origHost, PatternMatcher dbPattern, String origDb,
+ PatternMatcher userPattern, String user, PatternMatcher tblPattern, String origTbl,
+ boolean isDomain, PrivBitSet privSet) {
+ super(hostPattern, origHost, dbPattern, origDb, userPattern, user, isDomain, privSet);
this.tblPattern = tblPattern;
this.origTbl = origTbl;
if (origTbl.equals(ANY_TBL)) {
@@ -50,15 +47,12 @@ public class TablePrivEntry extends DbPrivEntry {
}
}
- public static TablePrivEntry create(String user, String host,
- String ctl, String db, String tbl,
- boolean isDomain, PrivBitSet privs) throws AnalysisException {
+ public static TablePrivEntry create(String host, String db, String user, String tbl, boolean isDomain,
+ PrivBitSet privs) throws AnalysisException {
PatternMatcher hostPattern = PatternMatcher.createMysqlPattern(host, CaseSensibility.HOST.getCaseSensibility());
PatternMatcher dbPattern = PatternMatcher.createFlatPattern(
db, CaseSensibility.DATABASE.getCaseSensibility(), db.equals(ANY_DB));
PatternMatcher userPattern = PatternMatcher.createFlatPattern(user, CaseSensibility.USER.getCaseSensibility());
- PatternMatcher ctlPattern = PatternMatcher.createFlatPattern(
- ctl, CaseSensibility.CATALOG.getCaseSensibility(), ctl.equals(ANY_CTL));
PatternMatcher tblPattern = PatternMatcher.createFlatPattern(
tbl, CaseSensibility.TABLE.getCaseSensibility(), tbl.equals(ANY_TBL));
@@ -67,8 +61,8 @@ public class TablePrivEntry extends DbPrivEntry {
throw new AnalysisException("Table privilege can not contains global or resource privileges: " + privs);
}
- return new TablePrivEntry(userPattern, user, hostPattern, host,
- ctlPattern, ctl, dbPattern, db, tblPattern, tbl, isDomain, privs);
+ return new TablePrivEntry(hostPattern, host, dbPattern, db,
+ userPattern, user, tblPattern, tbl, isDomain, privs);
}
public PatternMatcher getTblPattern() {
@@ -90,11 +84,22 @@ public class TablePrivEntry extends DbPrivEntry {
}
TablePrivEntry otherEntry = (TablePrivEntry) other;
- return compareAssist(origUser, otherEntry.origUser,
- origHost, otherEntry.origHost,
- origCtl, otherEntry.origCtl,
- origDb, otherEntry.origDb,
- origTbl, otherEntry.origTbl);
+ int res = origHost.compareTo(otherEntry.origHost);
+ if (res != 0) {
+ return -res;
+ }
+
+ res = origDb.compareTo(otherEntry.origDb);
+ if (res != 0) {
+ return -res;
+ }
+
+ res = origUser.compareTo(otherEntry.origUser);
+ if (res != 0) {
+ return -res;
+ }
+
+ return -origTbl.compareTo(otherEntry.origTbl);
}
@Override
@@ -104,16 +109,21 @@ public class TablePrivEntry extends DbPrivEntry {
}
TablePrivEntry otherEntry = (TablePrivEntry) other;
- return origUser.equals(otherEntry.origUser) && origHost.equals(otherEntry.origHost)
- && origCtl.equals(otherEntry.origCtl) && origDb.equals(otherEntry.origDb)
- && origTbl.equals(otherEntry.origTbl) && isDomain == otherEntry.isDomain;
+ if (origHost.equals(otherEntry.origHost) && origUser.equals(otherEntry.origUser)
+ && origDb.equals(otherEntry.origDb) && origTbl.equals(otherEntry.origTbl)
+ && isDomain == otherEntry.isDomain) {
+ return true;
+ }
+ return false;
}
@Override
public String toString() {
- return String.format("table privilege. user: %s, host: %s, "
- + "ctl: %s, db: %s, tbl: %s, priv: %s, set by resolver: %b",
- origUser, origHost, origCtl, origDb, origTbl, privSet.toString(), isSetByDomainResolver);
+ StringBuilder sb = new StringBuilder();
+ sb.append("db priv. host: ").append(origHost).append(", db: ").append(origDb);
+ sb.append(", user: ").append(origUser).append(", tbl: ").append(origTbl);
+ sb.append(", priv: ").append(privSet).append(", set by resolver: ").append(isSetByDomainResolver);
+ return sb.toString();
}
@Override
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/TablePrivTable.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/TablePrivTable.java
index 475452ac29..0de7816981 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/TablePrivTable.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/TablePrivTable.java
@@ -32,10 +32,10 @@ import java.io.IOException;
public class TablePrivTable extends PrivTable {
/*
- * Return first priv which match the user@host on ctl.db.tbl The returned priv will
+ * Return first priv which match the user@host on db.tbl The returned priv will
* be saved in 'savedPrivs'.
*/
- public void getPrivs(UserIdentity currentUser, String ctl, String db, String tbl, PrivBitSet savedPrivs) {
+ public void getPrivs(UserIdentity currentUser, String db, String tbl, PrivBitSet savedPrivs) {
TablePrivEntry matchedEntry = null;
for (PrivEntry entry : entries) {
TablePrivEntry tblPrivEntry = (TablePrivEntry) entry;
@@ -43,11 +43,6 @@ public class TablePrivTable extends PrivTable {
continue;
}
- // check catalog
- if (!tblPrivEntry.isAnyCtl() && !tblPrivEntry.getCtlPattern().match(ctl)) {
- continue;
- }
-
// check db
Preconditions.checkState(!tblPrivEntry.isAnyDb());
if (!tblPrivEntry.getDbPattern().match(db)) {
@@ -69,17 +64,33 @@ public class TablePrivTable extends PrivTable {
savedPrivs.or(matchedEntry.getPrivSet());
}
- public boolean hasPrivsOfDb(UserIdentity currentUser, String ctl, String db) {
+ /*
+ * Check if user@host has specified privilege on any table
+ */
+ public boolean hasPriv(String host, String user, PrivPredicate wanted) {
for (PrivEntry entry : entries) {
TablePrivEntry tblPrivEntry = (TablePrivEntry) entry;
-
- if (!tblPrivEntry.match(currentUser, true)) {
+ // check host
+ if (!tblPrivEntry.isAnyHost() && !tblPrivEntry.getHostPattern().match(host)) {
+ continue;
+ }
+ // check user
+ if (!tblPrivEntry.isAnyUser() && !tblPrivEntry.getUserPattern().match(user)) {
continue;
}
+ // check priv
+ if (tblPrivEntry.privSet.satisfy(wanted)) {
+ return true;
+ }
+ }
+ return false;
+ }
- // check catalog
- Preconditions.checkState(!tblPrivEntry.isAnyCtl());
- if (!tblPrivEntry.getCtlPattern().match(ctl)) {
+ public boolean hasPrivsOfDb(UserIdentity currentUser, String db) {
+ for (PrivEntry entry : entries) {
+ TablePrivEntry tblPrivEntry = (TablePrivEntry) entry;
+
+ if (!tblPrivEntry.match(currentUser, true)) {
continue;
}
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/UserPrivTable.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/UserPrivTable.java
index c50f5569bf..2ae20c3658 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/UserPrivTable.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/UserPrivTable.java
@@ -20,7 +20,6 @@ package org.apache.doris.mysql.privilege;
import org.apache.doris.analysis.UserIdentity;
import org.apache.doris.common.DdlException;
import org.apache.doris.common.io.Text;
-import org.apache.doris.datasource.InternalDataSource;
import org.apache.doris.mysql.MysqlPassword;
import org.apache.logging.log4j.LogManager;
@@ -28,7 +27,6 @@ import org.apache.logging.log4j.Logger;
import java.io.DataOutput;
import java.io.IOException;
-import java.util.LinkedList;
import java.util.List;
/*
@@ -59,6 +57,27 @@ public class UserPrivTable extends PrivTable {
savedPrivs.or(matchedEntry.getPrivSet());
}
+ /*
+ * Check if user@host has specified privilege
+ */
+ public boolean hasPriv(String host, String user, PrivPredicate wanted) {
+ for (PrivEntry entry : entries) {
+ GlobalPrivEntry globalPrivEntry = (GlobalPrivEntry) entry;
+ // check host
+ if (!globalPrivEntry.isAnyHost() && !globalPrivEntry.getHostPattern().match(host)) {
+ continue;
+ }
+ // check user
+ if (!globalPrivEntry.isAnyUser() && !globalPrivEntry.getUserPattern().match(user)) {
+ continue;
+ }
+ if (globalPrivEntry.getPrivSet().satisfy(wanted)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
// validate the connection by host, user and password.
// return true if this connection is valid, and 'savedPrivs' save all global privs got from user table.
// if currentUser is not null, save the current user identity
@@ -177,33 +196,4 @@ public class UserPrivTable extends PrivTable {
super.write(out);
}
-
- /**
- * When replay UserPrivTable from journal whose FeMetaVersion < VERSION_111, the global-level privileges should
- * degrade to internal-catalog-level privileges.
- */
- public CatalogPrivTable degradeToInternalCatalogPriv() throws IOException {
- CatalogPrivTable catalogPrivTable = new CatalogPrivTable();
- List<PrivEntry> degradedEntries = new LinkedList<>();
- for (PrivEntry privEntry : entries) {
- GlobalPrivEntry globalPrivEntry = (GlobalPrivEntry) privEntry;
- if (!globalPrivEntry.match(UserIdentity.ROOT, true)
- && !globalPrivEntry.match(UserIdentity.ADMIN, true)
- && !globalPrivEntry.privSet.isEmpty()) {
- try {
- CatalogPrivEntry entry = CatalogPrivEntry.create(globalPrivEntry.origUser, globalPrivEntry.origHost,
- InternalDataSource.INTERNAL_DS_NAME, globalPrivEntry.isDomain, globalPrivEntry.privSet);
- entry.setSetByDomainResolver(false);
- catalogPrivTable.addEntry(entry, false, false);
- degradedEntries.add(globalPrivEntry);
- } catch (Exception e) {
- throw new IOException(e.getMessage());
- }
- }
- }
- for (PrivEntry degraded : degradedEntries) {
- dropEntry(degraded);
- }
- return catalogPrivTable;
- }
}
diff --git a/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectContext.java b/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectContext.java
index 724278af10..31f71ecb40 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectContext.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectContext.java
@@ -23,7 +23,6 @@ import org.apache.doris.catalog.Database;
import org.apache.doris.cluster.ClusterNamespace;
import org.apache.doris.common.UserException;
import org.apache.doris.common.util.DebugUtil;
-import org.apache.doris.datasource.InternalDataSource;
import org.apache.doris.datasource.SessionContext;
import org.apache.doris.mysql.MysqlCapability;
import org.apache.doris.mysql.MysqlChannel;
@@ -109,7 +108,6 @@ public class ConnectContext {
// Catalog: put catalog here is convenient for unit test,
// because catalog is singleton, hard to mock
protected Catalog catalog;
- protected String defaultCatalog = InternalDataSource.INTERNAL_DS_NAME;
protected boolean isSend;
protected AuditEventBuilder auditEventBuilder = new AuditEventBuilder();
@@ -292,7 +290,6 @@ public class ConnectContext {
public void setCatalog(Catalog catalog) {
this.catalog = catalog;
- defaultCatalog = catalog.getInternalDataSource().getName();
}
public Catalog getCatalog() {
@@ -413,14 +410,6 @@ public class ConnectContext {
return serverCapability;
}
- public String getDefaultCatalog() {
- return defaultCatalog;
- }
-
- public void changeDefaultCatalog(String catalogName) {
- defaultCatalog = catalogName;
- }
-
public String getDatabase() {
return currentDb;
}
diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/AuthTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/AuthTest.java
index 4c2d7e7ce9..886783896a 100644
--- a/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/AuthTest.java
+++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/AuthTest.java
@@ -35,7 +35,6 @@ import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.Config;
import org.apache.doris.common.DdlException;
import org.apache.doris.common.UserException;
-import org.apache.doris.datasource.InternalDataSource;
import org.apache.doris.persist.EditLog;
import org.apache.doris.persist.PrivInfo;
import org.apache.doris.qe.ConnectContext;
@@ -103,10 +102,6 @@ public class AuthTest {
minTimes = 0;
result = SystemInfoService.DEFAULT_CLUSTER;
- analyzer.getDefaultCatalog();
- minTimes = 0;
- result = InternalDataSource.INTERNAL_DS_NAME;
-
Catalog.getCurrentCatalog();
minTimes = 0;
result = catalog;
@@ -1247,7 +1242,7 @@ public class AuthTest {
}
};
Assert.assertFalse(auth.checkGlobalPriv(ctx, PrivPredicate.OPERATOR));
- grantStmt = new GrantStmt(opUser, null, new TablePattern("*", "*", "*"), privileges);
+ grantStmt = new GrantStmt(opUser, null, new TablePattern("*", "*"), privileges);
// first, use op_user itself to grant node_priv, which is not allowed
try {
new Expectations() {
diff --git a/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/PrivEntryTest.java b/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/PrivEntryTest.java
index 8e9a3f173b..71f6990191 100644
--- a/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/PrivEntryTest.java
+++ b/fe/fe-core/src/test/java/org/apache/doris/mysql/privilege/PrivEntryTest.java
@@ -26,7 +26,7 @@ public class PrivEntryTest {
@Test
public void testNameWithUnderscores() throws Exception {
TablePrivEntry tablePrivEntry = TablePrivEntry.create(
- "user1", "127.%", "__internal", "db_db1", "tbl_tbl1", false,
+ "127.%", "db_db1", "user1", "tbl_tbl1", false,
PrivBitSet.of(PaloPrivilege.SELECT_PRIV, PaloPrivilege.DROP_PRIV));
// pattern match
Assert.assertFalse(tablePrivEntry.getDbPattern().match("db-db1"));
@@ -38,11 +38,11 @@ public class PrivEntryTest {
userIdentity.setIsAnalyzed();
PrivBitSet privs1 = PrivBitSet.of();
- tablePrivTable.getPrivs(userIdentity, "##internal", "db#db1", "tbl#tbl1", privs1);
+ tablePrivTable.getPrivs(userIdentity, "db#db1", "tbl#tbl1", privs1);
Assert.assertFalse(PaloPrivilege.satisfy(privs1, PrivPredicate.DROP));
PrivBitSet privs2 = PrivBitSet.of();
- tablePrivTable.getPrivs(userIdentity, "__internal", "db_db1", "tbl_tbl1", privs2);
+ tablePrivTable.getPrivs(userIdentity, "db_db1", "tbl_tbl1", privs2);
Assert.assertTrue(PaloPrivilege.satisfy(privs2, PrivPredicate.DROP));
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org