You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@iotdb.apache.org by ha...@apache.org on 2022/08/01 10:22:47 UTC
[iotdb] branch cp_2736 created (now 2eda77132a)
This is an automated email from the ASF dual-hosted git repository.
haonan pushed a change to branch cp_2736
in repository https://gitbox.apache.org/repos/asf/iotdb.git
at 2eda77132a [IOTDB-2736] DELETE_STORAGE_GROUP can not be granted to user (reporting 401) (#5233)
This branch includes the following new commits:
new 2eda77132a [IOTDB-2736] DELETE_STORAGE_GROUP can not be granted to user (reporting 401) (#5233)
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[iotdb] 01/01: [IOTDB-2736] DELETE_STORAGE_GROUP can not be granted to user (reporting 401) (#5233)
Posted by ha...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
haonan pushed a commit to branch cp_2736
in repository https://gitbox.apache.org/repos/asf/iotdb.git
commit 2eda77132a5bc83dc97692d4eec59de34cd36b8c
Author: Steve Yurong Su <ro...@apache.org>
AuthorDate: Tue Mar 15 20:43:10 2022 +0800
[IOTDB-2736] DELETE_STORAGE_GROUP can not be granted to user (reporting 401) (#5233)
---
.../antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4 | 7 +++-
.../Administration-Management/Administration.md | 1 +
.../Administration-Management/Administration.md | 1 +
.../iotdb/db/integration/IoTDBAuthorizationIT.java | 49 ++++++++++++++++++++++
.../org/apache/iotdb/db/auth/AuthorityChecker.java | 2 +
.../apache/iotdb/db/auth/entity/PrivilegeType.java | 37 ++++++++++------
.../java/org/apache/iotdb/db/utils/AuthUtils.java | 2 +
7 files changed, 85 insertions(+), 14 deletions(-)
diff --git a/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4 b/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4
index 23f8990e72..dff4887a61 100644
--- a/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4
+++ b/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4
@@ -695,7 +695,8 @@ UNCOMPRESSED
// Privileges Keywords
PRIVILEGE_VALUE
- : SET_STORAGE_GROUP | CREATE_TIMESERIES | INSERT_TIMESERIES | READ_TIMESERIES | DELETE_TIMESERIES
+ : SET_STORAGE_GROUP | DELETE_STORAGE_GROUP
+ | CREATE_TIMESERIES | INSERT_TIMESERIES | READ_TIMESERIES | DELETE_TIMESERIES
| CREATE_USER | DELETE_USER | MODIFY_PASSWORD | LIST_USER
| GRANT_USER_PRIVILEGE | REVOKE_USER_PRIVILEGE | GRANT_USER_ROLE | REVOKE_USER_ROLE
| CREATE_ROLE | DELETE_ROLE | LIST_ROLE | GRANT_ROLE_PRIVILEGE | REVOKE_ROLE_PRIVILEGE
@@ -708,6 +709,10 @@ SET_STORAGE_GROUP
: S E T '_' S T O R A G E '_' G R O U P
;
+DELETE_STORAGE_GROUP
+ : D E L E T E '_' S T O R A G E '_' G R O U P
+ ;
+
CREATE_TIMESERIES
: C R E A T E '_' T I M E S E R I E S
;
diff --git a/docs/UserGuide/Administration-Management/Administration.md b/docs/UserGuide/Administration-Management/Administration.md
index 323a46b69f..b2d25737bf 100644
--- a/docs/UserGuide/Administration-Management/Administration.md
+++ b/docs/UserGuide/Administration-Management/Administration.md
@@ -286,6 +286,7 @@ At the same time, changes to roles are immediately reflected on all users who ow
|privilege Name|Interpretation|
|:---|:---|
|SET\_STORAGE\_GROUP|set storage groups; path dependent|
+|DELETE\_STORAGE\_GROUP|delete storage groups; path dependent|
|CREATE\_TIMESERIES|create timeseries; path dependent|
|INSERT\_TIMESERIES|insert data; path dependent|
|READ\_TIMESERIES|query data; path dependent|
diff --git a/docs/zh/UserGuide/Administration-Management/Administration.md b/docs/zh/UserGuide/Administration-Management/Administration.md
index c50fabcfa7..412452bd67 100644
--- a/docs/zh/UserGuide/Administration-Management/Administration.md
+++ b/docs/zh/UserGuide/Administration-Management/Administration.md
@@ -291,6 +291,7 @@ Eg: IoTDB > ALTER USER tempuser SET PASSWORD 'newpwd';
|权限名称|说明|
|:---|:---|
|SET\_STORAGE\_GROUP|创建存储组。包含设置存储组的权限。路径相关|
+|DELETE\_STORAGE\_GROUP|删除存储组。路径相关|
|CREATE\_TIMESERIES|创建时间序列。路径相关|
|INSERT\_TIMESERIES|插入数据。路径相关|
|READ\_TIMESERIES|查询数据。路径相关|
diff --git a/integration/src/test/java/org/apache/iotdb/db/integration/IoTDBAuthorizationIT.java b/integration/src/test/java/org/apache/iotdb/db/integration/IoTDBAuthorizationIT.java
index 1008198449..1d82f335e9 100644
--- a/integration/src/test/java/org/apache/iotdb/db/integration/IoTDBAuthorizationIT.java
+++ b/integration/src/test/java/org/apache/iotdb/db/integration/IoTDBAuthorizationIT.java
@@ -169,6 +169,55 @@ public class IoTDBAuthorizationIT {
}
}
+ @Test
+ public void testSetDeleteSG() throws ClassNotFoundException, SQLException {
+ Class.forName(Config.JDBC_DRIVER_NAME);
+ try (Connection adminCon =
+ DriverManager.getConnection(
+ Config.IOTDB_URL_PREFIX + "127.0.0.1:6667/", "root", "root");
+ Statement adminStmt = adminCon.createStatement()) {
+ adminStmt.execute("CREATE USER sgtest 'sgtest'");
+
+ boolean caught = false;
+ try (Connection userCon =
+ DriverManager.getConnection(
+ Config.IOTDB_URL_PREFIX + "127.0.0.1:6667/", "sgtest", "sgtest");
+ Statement userStmt = userCon.createStatement()) {
+
+ try {
+ userStmt.execute("SET STORAGE GROUP TO root.sgtest");
+ } catch (SQLException e) {
+ caught = true;
+ }
+ assertTrue(caught);
+
+ adminStmt.execute("GRANT USER sgtest PRIVILEGES SET_STORAGE_GROUP ON root.sgtest");
+
+ try {
+ userStmt.execute("SET STORAGE GROUP TO root.sgtest");
+ } catch (SQLException e) {
+ fail(e.getMessage());
+ }
+
+ caught = false;
+ try {
+ userStmt.execute("DELETE STORAGE GROUP root.sgtest");
+ } catch (SQLException e) {
+ caught = true;
+ }
+ assertTrue(caught);
+
+ adminStmt.execute("GRANT USER sgtest PRIVILEGES DELETE_STORAGE_GROUP ON root.sgtest");
+
+ try {
+ userStmt.execute("DELETE STORAGE GROUP root.sgtest");
+ } catch (SQLException e) {
+ fail(e.getMessage());
+ }
+ }
+ }
+ }
+
@Test
public void testTriggerPrivileges() throws ClassNotFoundException, SQLException {
Class.forName(Config.JDBC_DRIVER_NAME);
diff --git a/server/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java b/server/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
index 6abf4e7088..154e523d9b 100644
--- a/server/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
+++ b/server/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
@@ -119,6 +119,8 @@ public class AuthorityChecker {
return PrivilegeType.REVOKE_USER_ROLE.ordinal();
case SET_STORAGE_GROUP:
return PrivilegeType.SET_STORAGE_GROUP.ordinal();
+ case DELETE_STORAGE_GROUP:
+ return PrivilegeType.DELETE_STORAGE_GROUP.ordinal();
case CREATE_TIMESERIES:
case CREATE_ALIGNED_TIMESERIES:
return PrivilegeType.CREATE_TIMESERIES.ordinal();
diff --git a/server/src/main/java/org/apache/iotdb/db/auth/entity/PrivilegeType.java b/server/src/main/java/org/apache/iotdb/db/auth/entity/PrivilegeType.java
index ce233da788..efd3e86e4d 100644
--- a/server/src/main/java/org/apache/iotdb/db/auth/entity/PrivilegeType.java
+++ b/server/src/main/java/org/apache/iotdb/db/auth/entity/PrivilegeType.java
@@ -20,13 +20,13 @@ package org.apache.iotdb.db.auth.entity;
/** This enum class contains all available privileges in IoTDB. */
public enum PrivilegeType {
- SET_STORAGE_GROUP,
- INSERT_TIMESERIES,
+ SET_STORAGE_GROUP(true),
+ INSERT_TIMESERIES(true),
@Deprecated
- UPDATE_TIMESERIES,
- READ_TIMESERIES,
- CREATE_TIMESERIES,
- DELETE_TIMESERIES,
+ UPDATE_TIMESERIES(true),
+ READ_TIMESERIES(true),
+ CREATE_TIMESERIES(true),
+ DELETE_TIMESERIES(true),
CREATE_USER,
DELETE_USER,
MODIFY_PASSWORD,
@@ -42,16 +42,29 @@ public enum PrivilegeType {
REVOKE_ROLE_PRIVILEGE,
CREATE_FUNCTION,
DROP_FUNCTION,
- CREATE_TRIGGER,
- DROP_TRIGGER,
- START_TRIGGER,
- STOP_TRIGGER,
+ CREATE_TRIGGER(true),
+ DROP_TRIGGER(true),
+ START_TRIGGER(true),
+ STOP_TRIGGER(true),
CREATE_CONTINUOUS_QUERY,
DROP_CONTINUOUS_QUERY,
ALL,
+ DELETE_STORAGE_GROUP(true),
UPDATE_TEMPLATE,
APPLY_TEMPLATE;
+ private static final int PRIVILEGE_COUNT = values().length;
+
+ private final boolean isPathRelevant;
+
+ PrivilegeType() {
+ this.isPathRelevant = false;
+ }
+
+ PrivilegeType(boolean isPathRelevant) {
+ this.isPathRelevant = isPathRelevant;
+ }
+
/**
* Some privileges need a seriesPath as parameter, while others do not. This method returns which
* privileges need a seriesPath.
@@ -60,8 +73,6 @@ public enum PrivilegeType {
* @return Whether this privilege need a seriesPath or not.
*/
public static boolean isPathRelevant(int type) {
- return type <= DELETE_TIMESERIES.ordinal()
- || (CREATE_TRIGGER.ordinal() <= type && type <= STOP_TRIGGER.ordinal())
- || type == APPLY_TEMPLATE.ordinal();
+ return 0 <= type && type < PRIVILEGE_COUNT && values()[type].isPathRelevant;
}
}
diff --git a/server/src/main/java/org/apache/iotdb/db/utils/AuthUtils.java b/server/src/main/java/org/apache/iotdb/db/utils/AuthUtils.java
index 16e851bad3..6724ad845a 100644
--- a/server/src/main/java/org/apache/iotdb/db/utils/AuthUtils.java
+++ b/server/src/main/java/org/apache/iotdb/db/utils/AuthUtils.java
@@ -134,6 +134,7 @@ public class AuthUtils {
switch (type) {
case READ_TIMESERIES:
case SET_STORAGE_GROUP:
+ case DELETE_STORAGE_GROUP:
case CREATE_TIMESERIES:
case DELETE_TIMESERIES:
case INSERT_TIMESERIES:
@@ -151,6 +152,7 @@ public class AuthUtils {
switch (type) {
case READ_TIMESERIES:
case SET_STORAGE_GROUP:
+ case DELETE_STORAGE_GROUP:
case CREATE_TIMESERIES:
case DELETE_TIMESERIES:
case INSERT_TIMESERIES: