You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@doris.apache.org by GitBox <gi...@apache.org> on 2019/07/15 14:25:36 UTC
[GitHub] [incubator-doris] imay commented on a change in pull request #1472:
Support grant GRANT_PRIV on database or table level
imay commented on a change in pull request #1472: Support grant GRANT_PRIV on database or table level
URL: https://github.com/apache/incubator-doris/pull/1472#discussion_r303461517
##########
File path: fe/src/main/java/org/apache/doris/analysis/RevokeStmt.java
##########
@@ -88,25 +88,36 @@ public void analyze(Analyzer analyzer) throws AnalysisException {
}
// can not revoke NODE_PRIV from any user
- for (PaloPrivilege paloPrivilege : privileges) {
- if (paloPrivilege == PaloPrivilege.NODE_PRIV) {
- throw new AnalysisException("Can not revoke NODE_PRIV from any users or roles");
- }
+ if (privileges.contains(PaloPrivilege.NODE_PRIV)) {
+ throw new AnalysisException("Can not revoke NODE_PRIV from any users or roles");
}
- // ADMIN_PRIV and GRANT_PRIV can only be revoked as global
+ // ADMIN_PRIV can only be revoked on GLOBAL level
if (tblPattern.getPrivLevel() != PrivLevel.GLOBAL) {
- for (PaloPrivilege paloPrivilege : privileges) {
- if (paloPrivilege == PaloPrivilege.ADMIN_PRIV || paloPrivilege == PaloPrivilege.GRANT_PRIV) {
- throw new AnalysisException(
- "Can not revoke ADMIN_PRIV or GRANT_PRIV from specified database or table. Only support from *.*");
- }
+ if (privileges.contains(PaloPrivilege.ADMIN_PRIV)) {
+ throw new AnalysisException("Can not revoke ADMIN_PRIV from specified database or table. Only support from *.*");
}
}
- if (!Catalog.getCurrentCatalog().getAuth().checkGlobalPriv(ConnectContext.get(), PrivPredicate.GRANT)) {
- ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
- "REVOKE");
+ if (role != null) {
+ // only user with GLOBAL level's GRANT_PRIV can revoke privileges to roles.
+ if (!Catalog.getCurrentCatalog().getAuth().checkGlobalPriv(ConnectContext.get(), PrivPredicate.GRANT)) {
+ ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "REVOKE");
+ }
+ } else {
+ // revoke from a certain user
+ // 1. check if current user has GLOBAL level GRANT_PRIV.
+ // 2. or if current user has DATABASE level GRANT_PRIV if grant to certain database.
+ if (tblPattern.getPrivLevel() == PrivLevel.GLOBAL) {
+ if (!Catalog.getCurrentCatalog().getAuth().checkGlobalPriv(ConnectContext.get(), PrivPredicate.GRANT)) {
+ ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "GRANT");
+ }
+ } else {
Review comment:
how about table level?
And grant and revoke has same logic? Does these two class reuse some code?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@doris.apache.org
For additional commands, e-mail: dev-help@doris.apache.org