You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@shardingsphere.apache.org by GitBox <gi...@apache.org> on 2023/01/18 09:53:27 UTC
[GitHub] [shardingsphere] azexcy commented on a diff in pull request #23627: Add privileges check at CDC
azexcy commented on code in PR #23627:
URL: https://github.com/apache/shardingsphere/pull/23627#discussion_r1073278244
##########
proxy/frontend/core/src/main/java/org/apache/shardingsphere/proxy/frontend/netty/CDCChannelInboundHandler.java:
##########
@@ -79,27 +85,40 @@ public void channelInactive(final ChannelHandlerContext ctx) {
ctx.channel().attr(CONNECTION_CONTEXT_KEY).set(null);
}
+ @Override
+ public void exceptionCaught(final ChannelHandlerContext ctx, final Throwable cause) {
Review Comment:
Perhaps we need to clarify what kind of exception needs to be thrown to close the channel, and only clean contexnt when the channl closed?
##########
proxy/frontend/core/src/main/java/org/apache/shardingsphere/proxy/frontend/netty/CDCChannelInboundHandler.java:
##########
@@ -109,33 +128,50 @@ public void channelRead(final ChannelHandlerContext ctx, final Object msg) {
}
}
- private void processLogin(final ChannelHandlerContext ctx, final CDCRequest request) {
+ private void processLogin(final ChannelHandlerContext ctx, final CDCRequest request, final CDCConnectionContext connectionContext) {
if (!request.hasLogin() || !request.getLogin().hasBasicBody()) {
ctx.writeAndFlush(CDCResponseGenerator.failed(request.getRequestId(), CDCResponseErrorCode.ILLEGAL_REQUEST_ERROR, "Miss login request body")).addListener(ChannelFutureListener.CLOSE);
return;
}
BasicBody body = request.getLogin().getBasicBody();
- Collection<ShardingSphereRule> globalRules = ProxyContext.getInstance().getContextManager().getMetaDataContexts().getMetaData().getGlobalRuleMetaData().getRules();
- Optional<AuthorityRule> authorityRule = globalRules.stream().filter(rule -> rule instanceof AuthorityRule).map(rule -> (AuthorityRule) rule).findFirst();
+ Optional<AuthorityRule> authorityRule = findAuthorityRule();
if (!authorityRule.isPresent()) {
ctx.writeAndFlush(CDCResponseGenerator.failed(request.getRequestId(), CDCResponseErrorCode.SERVER_ERROR, "Not find authority rule")).addListener(ChannelFutureListener.CLOSE);
return;
}
Optional<ShardingSphereUser> user = authorityRule.get().findUser(new Grantee(body.getUsername(), getHostAddress(ctx)));
if (user.isPresent() && Objects.equals(Hashing.sha256().hashBytes(user.get().getPassword().getBytes()).toString().toUpperCase(), body.getPassword())) {
- ctx.channel().attr(CONNECTION_CONTEXT_KEY).get().setStatus(CDCConnectionStatus.LOGGED_IN);
+ connectionContext.setStatus(CDCConnectionStatus.LOGGED_IN);
+ connectionContext.setCurrentUser(user.get());
ctx.writeAndFlush(CDCResponseGenerator.succeedBuilder(request.getRequestId()).build());
+ } else {
+ ctx.writeAndFlush(CDCResponseGenerator.failed(request.getRequestId(), CDCResponseErrorCode.SERVER_ERROR, "Incorrect username or password")).addListener(ChannelFutureListener.CLOSE);
+ }
+ }
+
+ private Optional<AuthorityRule> findAuthorityRule() {
+ Collection<ShardingSphereRule> globalRules = ProxyContext.getInstance().getContextManager().getMetaDataContexts().getMetaData().getGlobalRuleMetaData().getRules();
+ return globalRules.stream().filter(rule -> rule instanceof AuthorityRule).map(rule -> (AuthorityRule) rule).findFirst();
+ }
+
+ private void checkPrivileges(final Grantee grantee, final String currentDatabase) {
+ if (null == grantee) {
return;
}
- ctx.writeAndFlush(CDCResponseGenerator.failed(request.getRequestId(), CDCResponseErrorCode.SERVER_ERROR, "Incorrect username or password")).addListener(ChannelFutureListener.CLOSE);
+ Optional<AuthorityRule> authorityRule = findAuthorityRule();
+ ShardingSpherePreconditions.checkState(authorityRule.isPresent(), () -> new SQLCheckException("Not find authority rule"));
Review Comment:
Yes, I'm considering whether the CDC using its own exceptions instead of using existing ones
##########
proxy/frontend/core/src/main/java/org/apache/shardingsphere/proxy/frontend/netty/CDCChannelInboundHandler.java:
##########
@@ -109,33 +128,50 @@ public void channelRead(final ChannelHandlerContext ctx, final Object msg) {
}
}
- private void processLogin(final ChannelHandlerContext ctx, final CDCRequest request) {
+ private void processLogin(final ChannelHandlerContext ctx, final CDCRequest request, final CDCConnectionContext connectionContext) {
if (!request.hasLogin() || !request.getLogin().hasBasicBody()) {
ctx.writeAndFlush(CDCResponseGenerator.failed(request.getRequestId(), CDCResponseErrorCode.ILLEGAL_REQUEST_ERROR, "Miss login request body")).addListener(ChannelFutureListener.CLOSE);
return;
}
BasicBody body = request.getLogin().getBasicBody();
- Collection<ShardingSphereRule> globalRules = ProxyContext.getInstance().getContextManager().getMetaDataContexts().getMetaData().getGlobalRuleMetaData().getRules();
- Optional<AuthorityRule> authorityRule = globalRules.stream().filter(rule -> rule instanceof AuthorityRule).map(rule -> (AuthorityRule) rule).findFirst();
+ Optional<AuthorityRule> authorityRule = findAuthorityRule();
if (!authorityRule.isPresent()) {
ctx.writeAndFlush(CDCResponseGenerator.failed(request.getRequestId(), CDCResponseErrorCode.SERVER_ERROR, "Not find authority rule")).addListener(ChannelFutureListener.CLOSE);
return;
}
Optional<ShardingSphereUser> user = authorityRule.get().findUser(new Grantee(body.getUsername(), getHostAddress(ctx)));
if (user.isPresent() && Objects.equals(Hashing.sha256().hashBytes(user.get().getPassword().getBytes()).toString().toUpperCase(), body.getPassword())) {
- ctx.channel().attr(CONNECTION_CONTEXT_KEY).get().setStatus(CDCConnectionStatus.LOGGED_IN);
+ connectionContext.setStatus(CDCConnectionStatus.LOGGED_IN);
+ connectionContext.setCurrentUser(user.get());
ctx.writeAndFlush(CDCResponseGenerator.succeedBuilder(request.getRequestId()).build());
+ } else {
+ ctx.writeAndFlush(CDCResponseGenerator.failed(request.getRequestId(), CDCResponseErrorCode.SERVER_ERROR, "Incorrect username or password")).addListener(ChannelFutureListener.CLOSE);
+ }
+ }
+
+ private Optional<AuthorityRule> findAuthorityRule() {
+ Collection<ShardingSphereRule> globalRules = ProxyContext.getInstance().getContextManager().getMetaDataContexts().getMetaData().getGlobalRuleMetaData().getRules();
+ return globalRules.stream().filter(rule -> rule instanceof AuthorityRule).map(rule -> (AuthorityRule) rule).findFirst();
+ }
+
+ private void checkPrivileges(final Grantee grantee, final String currentDatabase) {
+ if (null == grantee) {
return;
}
Review Comment:
`grantee` can't be null yet, remove check.
##########
proxy/frontend/core/src/main/java/org/apache/shardingsphere/proxy/frontend/netty/CDCChannelInboundHandler.java:
##########
@@ -164,22 +201,27 @@ private void processStartSubscription(final ChannelHandlerContext ctx, final CDC
.addListener(ChannelFutureListener.CLOSE);
return;
}
+ checkPrivileges(connectionContext.getCurrentUser().getGrantee(), startSubscriptionRequest.getDatabase());
CDCResponse response = backendHandler.startSubscription(request, ctx.channel(), connectionContext);
ctx.writeAndFlush(response);
}
- private void stopStartSubscription(final ChannelHandlerContext ctx, final CDCRequest request, final CDCConnectionContext connectionContext) {
+ private void processStopSubscription(final ChannelHandlerContext ctx, final CDCRequest request, final CDCConnectionContext connectionContext) {
+ StopSubscriptionRequest stopSubscriptionRequest = request.getStopSubscription();
+ checkPrivileges(connectionContext.getCurrentUser().getGrantee(), stopSubscriptionRequest.getDatabase());
backendHandler.stopSubscription(connectionContext.getJobId());
connectionContext.setStatus(CDCConnectionStatus.LOGGED_IN);
ctx.writeAndFlush(CDCResponseGenerator.succeedBuilder(request.getRequestId()).build());
}
- private void dropStartSubscription(final ChannelHandlerContext ctx, final CDCRequest request, final CDCConnectionContext connectionContext) {
+ private void processDropSubscription(final ChannelHandlerContext ctx, final CDCRequest request, final CDCConnectionContext connectionContext) {
+ DropSubscriptionRequest dropSubscriptionRequest = request.getDropSubscription();
+ checkPrivileges(connectionContext.getCurrentUser().getGrantee(), dropSubscriptionRequest.getDatabase());
try {
backendHandler.dropSubscription(connectionContext.getJobId());
ctx.writeAndFlush(CDCResponseGenerator.succeedBuilder(request.getRequestId()).build());
} catch (final SQLException ex) {
- ctx.writeAndFlush(CDCResponseGenerator.failed(request.getRequestId(), CDCResponseErrorCode.SERVER_ERROR, ex.getMessage()));
+ ctx.writeAndFlush(CDCResponseGenerator.failed(request.getRequestId(), CDCResponseErrorCode.SERVER_ERROR, ex.getMessage())).addListener(ChannelFutureListener.CLOSE);
}
Review Comment:
Now it is not clear whether to close the channel when the exception occurs.
Perhaps we can assume that any exceptions before successful login will close the channel, and any exceptions after successful login will not close the channel
##########
proxy/frontend/core/src/main/java/org/apache/shardingsphere/proxy/frontend/netty/CDCChannelInboundHandler.java:
##########
@@ -109,33 +128,50 @@ public void channelRead(final ChannelHandlerContext ctx, final Object msg) {
}
}
- private void processLogin(final ChannelHandlerContext ctx, final CDCRequest request) {
+ private void processLogin(final ChannelHandlerContext ctx, final CDCRequest request, final CDCConnectionContext connectionContext) {
if (!request.hasLogin() || !request.getLogin().hasBasicBody()) {
ctx.writeAndFlush(CDCResponseGenerator.failed(request.getRequestId(), CDCResponseErrorCode.ILLEGAL_REQUEST_ERROR, "Miss login request body")).addListener(ChannelFutureListener.CLOSE);
return;
}
BasicBody body = request.getLogin().getBasicBody();
- Collection<ShardingSphereRule> globalRules = ProxyContext.getInstance().getContextManager().getMetaDataContexts().getMetaData().getGlobalRuleMetaData().getRules();
- Optional<AuthorityRule> authorityRule = globalRules.stream().filter(rule -> rule instanceof AuthorityRule).map(rule -> (AuthorityRule) rule).findFirst();
+ Optional<AuthorityRule> authorityRule = findAuthorityRule();
if (!authorityRule.isPresent()) {
ctx.writeAndFlush(CDCResponseGenerator.failed(request.getRequestId(), CDCResponseErrorCode.SERVER_ERROR, "Not find authority rule")).addListener(ChannelFutureListener.CLOSE);
return;
}
Optional<ShardingSphereUser> user = authorityRule.get().findUser(new Grantee(body.getUsername(), getHostAddress(ctx)));
if (user.isPresent() && Objects.equals(Hashing.sha256().hashBytes(user.get().getPassword().getBytes()).toString().toUpperCase(), body.getPassword())) {
- ctx.channel().attr(CONNECTION_CONTEXT_KEY).get().setStatus(CDCConnectionStatus.LOGGED_IN);
+ connectionContext.setStatus(CDCConnectionStatus.LOGGED_IN);
+ connectionContext.setCurrentUser(user.get());
ctx.writeAndFlush(CDCResponseGenerator.succeedBuilder(request.getRequestId()).build());
+ } else {
+ ctx.writeAndFlush(CDCResponseGenerator.failed(request.getRequestId(), CDCResponseErrorCode.SERVER_ERROR, "Incorrect username or password")).addListener(ChannelFutureListener.CLOSE);
+ }
+ }
+
+ private Optional<AuthorityRule> findAuthorityRule() {
+ Collection<ShardingSphereRule> globalRules = ProxyContext.getInstance().getContextManager().getMetaDataContexts().getMetaData().getGlobalRuleMetaData().getRules();
+ return globalRules.stream().filter(rule -> rule instanceof AuthorityRule).map(rule -> (AuthorityRule) rule).findFirst();
+ }
+
+ private void checkPrivileges(final Grantee grantee, final String currentDatabase) {
+ if (null == grantee) {
return;
}
- ctx.writeAndFlush(CDCResponseGenerator.failed(request.getRequestId(), CDCResponseErrorCode.SERVER_ERROR, "Incorrect username or password")).addListener(ChannelFutureListener.CLOSE);
+ Optional<AuthorityRule> authorityRule = findAuthorityRule();
+ ShardingSpherePreconditions.checkState(authorityRule.isPresent(), () -> new SQLCheckException("Not find authority rule"));
+ Optional<ShardingSpherePrivileges> privileges = authorityRule.get().findPrivileges(grantee);
+ ShardingSpherePreconditions.checkState(privileges.isPresent(), () -> new SQLCheckException(String.format("Access denied for user '%s'@'%s'", grantee.getUsername(), grantee.getHostname())));
+ ShardingSpherePreconditions.checkState(null == currentDatabase || privileges.filter(optional -> optional.hasPrivileges(currentDatabase)).isPresent(),
+ () -> new SQLCheckException(String.format("Unknown database '%s'", currentDatabase)));
Review Comment:
currentDatabase will not be null yet, need to consider when supporting mysql in the future, remove first
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@shardingsphere.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org