You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@iotdb.apache.org by ha...@apache.org on 2021/05/12 16:32:58 UTC
[iotdb] branch rel/0.11 updated: [To rel/0.11][ISSUE-3166]
Privilege `CREATE_TIMESERIES` is not stated in the document (#3171)
This is an automated email from the ASF dual-hosted git repository.
haonan pushed a commit to branch rel/0.11
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/rel/0.11 by this push:
new fa2ca43 [To rel/0.11][ISSUE-3166] Privilege `CREATE_TIMESERIES` is not stated in the document (#3171)
fa2ca43 is described below
commit fa2ca43831adcfad176bf824d8629915dafaf808
Author: Steve Yurong Su <st...@outlook.com>
AuthorDate: Thu May 13 00:32:22 2021 +0800
[To rel/0.11][ISSUE-3166] Privilege `CREATE_TIMESERIES` is not stated in the document (#3171)
---
docs/UserGuide/Operation Manual/Administration.md | 7 ++-
.../UserGuide/Operation Manual/Administration.md | 3 +-
.../apache/iotdb/db/auth/entity/PrivilegeType.java | 29 ++++++++---
.../java/org/apache/iotdb/db/utils/AuthUtils.java | 58 +++++++++++-----------
.../apache/iotdb/db/auth/AuthorityCheckerTest.java | 2 -
.../iotdb/db/auth/LocalFileAuthorizerTest.java | 24 ++++-----
6 files changed, 67 insertions(+), 56 deletions(-)
diff --git a/docs/UserGuide/Operation Manual/Administration.md b/docs/UserGuide/Operation Manual/Administration.md
index e989ea6..8effb23 100644
--- a/docs/UserGuide/Operation Manual/Administration.md
+++ b/docs/UserGuide/Operation Manual/Administration.md
@@ -99,12 +99,12 @@ At the same time, changes to roles are immediately reflected on all users who ow
### List of Privileges Included in the System
-<center>**List of privileges Included in the System**
+**List of privileges Included in the System**
|privilege Name|Interpretation|
|:---|:---|
-|SET\_STORAGE\_GROUP|create timeseries; set storage groups; path dependent|
-|INSERT\_TIMESERIES|insert data; path dependent|
+|SET\_STORAGE\_GROUP|set storage groups; path dependent|
+|CREATE\_TIMESERIES|create timeseries; path dependent|
|READ\_TIMESERIES|query data; path dependent|
|DELETE\_TIMESERIES|delete data or timeseries; path dependent|
|CREATE\_USER|create users; path independent|
@@ -120,7 +120,6 @@ At the same time, changes to roles are immediately reflected on all users who ow
|LIST\_ROLE|list all roles; list the privileges of a role; list the three kinds of operation privileges of all users owning a role; path independent|
|GRANT\_ROLE\_PRIVILEGE|grant role privileges; path independent|
|REVOKE\_ROLE\_PRIVILEGE|revoke role privileges; path independent|
-</center>
### Username Restrictions
diff --git a/docs/zh/UserGuide/Operation Manual/Administration.md b/docs/zh/UserGuide/Operation Manual/Administration.md
index 9706b1a..0af160d 100644
--- a/docs/zh/UserGuide/Operation Manual/Administration.md
+++ b/docs/zh/UserGuide/Operation Manual/Administration.md
@@ -97,7 +97,7 @@ INSERT INTO root.ln.wf01.wt01(timestamp, status) values(1509465600000, true)
### 系统所含权限列表
-<center>**系统所含权限列表**
+**系统所含权限列表**
|权限名称|说明|
|:---|:---|
@@ -118,7 +118,6 @@ INSERT INTO root.ln.wf01.wt01(timestamp, status) values(1509465600000, true)
|LIST\_ROLE|列出所有角色,列出某角色拥有的权限,列出拥有某角色的所有用户三种操作的权限。路径无关|
|GRANT\_ROLE\_PRIVILEGE|grant role priviledges; path independent|
|REVOKE\_ROLE\_PRIVILEGE|撤销角色权限。路径无关|
-</center>
### 用户名限制
diff --git a/server/src/main/java/org/apache/iotdb/db/auth/entity/PrivilegeType.java b/server/src/main/java/org/apache/iotdb/db/auth/entity/PrivilegeType.java
index 551e973..60805c6 100644
--- a/server/src/main/java/org/apache/iotdb/db/auth/entity/PrivilegeType.java
+++ b/server/src/main/java/org/apache/iotdb/db/auth/entity/PrivilegeType.java
@@ -18,14 +18,29 @@
*/
package org.apache.iotdb.db.auth.entity;
-/**
- * This enum class contains all available privileges in IoTDB.
- */
+/** This enum class contains all available privileges in IoTDB. */
public enum PrivilegeType {
- SET_STORAGE_GROUP, INSERT_TIMESERIES, UPDATE_TIMESERIES, READ_TIMESERIES, CREATE_TIMESERIES, DELETE_TIMESERIES,
- CREATE_USER, DELETE_USER, MODIFY_PASSWORD, LIST_USER, GRANT_USER_PRIVILEGE, REVOKE_USER_PRIVILEGE,
- GRANT_USER_ROLE, REVOKE_USER_ROLE, CREATE_ROLE, DELETE_ROLE, LIST_ROLE, GRANT_ROLE_PRIVILEGE,
- REVOKE_ROLE_PRIVILEGE, ALL;
+ SET_STORAGE_GROUP,
+ INSERT_TIMESERIES,
+ @Deprecated
+ UPDATE_TIMESERIES,
+ READ_TIMESERIES,
+ CREATE_TIMESERIES,
+ DELETE_TIMESERIES,
+ CREATE_USER,
+ DELETE_USER,
+ MODIFY_PASSWORD,
+ LIST_USER,
+ GRANT_USER_PRIVILEGE,
+ REVOKE_USER_PRIVILEGE,
+ GRANT_USER_ROLE,
+ REVOKE_USER_ROLE,
+ CREATE_ROLE,
+ DELETE_ROLE,
+ LIST_ROLE,
+ GRANT_ROLE_PRIVILEGE,
+ REVOKE_ROLE_PRIVILEGE,
+ ALL;
/**
* Some privileges need a seriesPath as parameter, while others do not. This method returns which
diff --git a/server/src/main/java/org/apache/iotdb/db/utils/AuthUtils.java b/server/src/main/java/org/apache/iotdb/db/utils/AuthUtils.java
index fa4997c..99896f7 100644
--- a/server/src/main/java/org/apache/iotdb/db/utils/AuthUtils.java
+++ b/server/src/main/java/org/apache/iotdb/db/utils/AuthUtils.java
@@ -18,19 +18,21 @@
*/
package org.apache.iotdb.db.utils;
-import java.io.UnsupportedEncodingException;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
import org.apache.iotdb.db.auth.AuthException;
import org.apache.iotdb.db.auth.entity.PathPrivilege;
import org.apache.iotdb.db.auth.entity.PrivilegeType;
import org.apache.iotdb.db.conf.IoTDBConstant;
+
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import java.io.UnsupportedEncodingException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
public class AuthUtils {
private static final Logger logger = LoggerFactory.getLogger(AuthUtils.class);
@@ -42,9 +44,7 @@ public class AuthUtils {
private static final String ENCRYPT_ALGORITHM = "MD5";
private static final String STRING_ENCODING = "utf-8";
- private AuthUtils() {
-
- }
+ private AuthUtils() {}
/**
* validate password size.
@@ -106,8 +106,8 @@ public class AuthUtils {
public static void validatePath(String path) throws AuthException {
if (!path.startsWith(ROOT_PREFIX)) {
throw new AuthException(
- String.format("Illegal seriesPath %s, seriesPath should start with \"%s\"", path,
- ROOT_PREFIX));
+ String.format(
+ "Illegal seriesPath %s, seriesPath should start with \"%s\"", path, ROOT_PREFIX));
}
}
@@ -129,7 +129,6 @@ public class AuthUtils {
case CREATE_TIMESERIES:
case DELETE_TIMESERIES:
case INSERT_TIMESERIES:
- case UPDATE_TIMESERIES:
return;
default:
throw new AuthException(
@@ -142,7 +141,6 @@ public class AuthUtils {
case CREATE_TIMESERIES:
case DELETE_TIMESERIES:
case INSERT_TIMESERIES:
- case UPDATE_TIMESERIES:
validatePath(path);
return;
default:
@@ -174,12 +172,12 @@ public class AuthUtils {
* @param pathA sub-path
* @param pathB path
* @return True if pathA == pathB, or pathA is an extension of pathB, e.g. pathA = "root.a.b.c"
- * and pathB = "root.a"
+ * and pathB = "root.a"
*/
public static boolean pathBelongsTo(String pathA, String pathB) {
return pathA.equals(pathB)
|| (pathA.startsWith(pathB)
- && pathA.charAt(pathB.length()) == IoTDBConstant.PATH_SEPARATOR);
+ && pathA.charAt(pathB.length()) == IoTDBConstant.PATH_SEPARATOR);
}
/**
@@ -190,20 +188,21 @@ public class AuthUtils {
* @param privilegeList privileges in List structure
* @return True if privilege-check passed
*/
- public static boolean checkPrivilege(String path, int privilegeId,
- List<PathPrivilege> privilegeList) {
+ public static boolean checkPrivilege(
+ String path, int privilegeId, List<PathPrivilege> privilegeList) {
if (privilegeList == null) {
return false;
}
for (PathPrivilege pathPrivilege : privilegeList) {
if (path != null) {
- if (pathPrivilege.getPath() != null &&
- AuthUtils.pathBelongsTo(path, pathPrivilege.getPath()) &&
- pathPrivilege.getPrivileges().contains(privilegeId)) {
+ if (pathPrivilege.getPath() != null
+ && AuthUtils.pathBelongsTo(path, pathPrivilege.getPath())
+ && pathPrivilege.getPrivileges().contains(privilegeId)) {
return true;
}
} else {
- if (pathPrivilege.getPath() == null && pathPrivilege.getPrivileges().contains(privilegeId)) {
+ if (pathPrivilege.getPath() == null
+ && pathPrivilege.getPrivileges().contains(privilegeId)) {
return true;
}
}
@@ -215,7 +214,7 @@ public class AuthUtils {
* get privileges.
*
* @param path The seriesPath on which the privileges take effect. If seriesPath-free privileges
- * are desired, this should be null.
+ * are desired, this should be null.
* @return The privileges granted to the role.
*/
public static Set<Integer> getPrivileges(String path, List<PathPrivilege> privilegeList) {
@@ -225,7 +224,8 @@ public class AuthUtils {
Set<Integer> privileges = new HashSet<>();
for (PathPrivilege pathPrivilege : privilegeList) {
if (path != null) {
- if (pathPrivilege.getPath() != null && AuthUtils.pathBelongsTo(path, pathPrivilege.getPath())) {
+ if (pathPrivilege.getPath() != null
+ && AuthUtils.pathBelongsTo(path, pathPrivilege.getPath())) {
privileges.addAll(pathPrivilege.getPrivileges());
}
} else {
@@ -245,10 +245,11 @@ public class AuthUtils {
* @param privilegeList privileges in List structure
* @return True if series path has this privilege
*/
- public static boolean hasPrivilege(String path, int privilegeId,
- List<PathPrivilege> privilegeList) {
+ public static boolean hasPrivilege(
+ String path, int privilegeId, List<PathPrivilege> privilegeList) {
for (PathPrivilege pathPrivilege : privilegeList) {
- if (pathPrivilege.getPath().equals(path) && pathPrivilege.getPrivileges().contains(privilegeId)) {
+ if (pathPrivilege.getPath().equals(path)
+ && pathPrivilege.getPrivileges().contains(privilegeId)) {
pathPrivilege.getReferenceCnt().incrementAndGet();
return true;
}
@@ -294,8 +295,8 @@ public class AuthUtils {
* @param privilegeId privilege Id
* @param privilegeList privileges in List structure
*/
- public static void removePrivilege(String path, int privilegeId,
- List<PathPrivilege> privilegeList) {
+ public static void removePrivilege(
+ String path, int privilegeId, List<PathPrivilege> privilegeList) {
PathPrivilege emptyPrivilege = null;
for (PathPrivilege pathPrivilege : privilegeList) {
if (pathPrivilege.getPath().equals(path)) {
@@ -315,5 +316,4 @@ public class AuthUtils {
privilegeList.remove(emptyPrivilege);
}
}
-
}
diff --git a/server/src/test/java/org/apache/iotdb/db/auth/AuthorityCheckerTest.java b/server/src/test/java/org/apache/iotdb/db/auth/AuthorityCheckerTest.java
index 5f394f8..511924d 100644
--- a/server/src/test/java/org/apache/iotdb/db/auth/AuthorityCheckerTest.java
+++ b/server/src/test/java/org/apache/iotdb/db/auth/AuthorityCheckerTest.java
@@ -73,8 +73,6 @@ public class AuthorityCheckerTest {
authorizer.grantPrivilegeToUser(
user.getName(), nodeName, PrivilegeType.REVOKE_USER_PRIVILEGE.ordinal());
authorizer.grantPrivilegeToUser(
- user.getName(), nodeName, PrivilegeType.UPDATE_TIMESERIES.ordinal());
- authorizer.grantPrivilegeToUser(
user.getName(), nodeName, PrivilegeType.GRANT_ROLE_PRIVILEGE.ordinal());
authorizer.grantPrivilegeToUser(
user.getName(), nodeName, PrivilegeType.GRANT_USER_PRIVILEGE.ordinal());
diff --git a/server/src/test/java/org/apache/iotdb/db/auth/LocalFileAuthorizerTest.java b/server/src/test/java/org/apache/iotdb/db/auth/LocalFileAuthorizerTest.java
index 485bb5b..8907fc4 100644
--- a/server/src/test/java/org/apache/iotdb/db/auth/LocalFileAuthorizerTest.java
+++ b/server/src/test/java/org/apache/iotdb/db/auth/LocalFileAuthorizerTest.java
@@ -18,22 +18,24 @@
*/
package org.apache.iotdb.db.auth;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
-import java.util.List;
-import java.util.Set;
-import org.apache.iotdb.db.auth.authorizer.IAuthorizer;
import org.apache.iotdb.db.auth.authorizer.BasicAuthorizer;
+import org.apache.iotdb.db.auth.authorizer.IAuthorizer;
import org.apache.iotdb.db.auth.entity.User;
import org.apache.iotdb.db.conf.IoTDBConstant;
import org.apache.iotdb.db.utils.EnvironmentUtils;
+
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
+import java.util.List;
+import java.util.Set;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
public class LocalFileAuthorizerTest {
@Before
@@ -222,7 +224,6 @@ public class LocalFileAuthorizerTest {
}
try {
authorizer.grantPrivilegeToUser(user.getName(), nodeName, 1);
- authorizer.grantPrivilegeToRole(roleName, nodeName, 2);
authorizer.grantPrivilegeToRole(roleName, nodeName, 3);
} catch (AuthException e) {
e.printStackTrace();
@@ -230,11 +231,10 @@ public class LocalFileAuthorizerTest {
}
try {
Set<Integer> permisssions = authorizer.getPrivileges(user.getName(), nodeName);
- assertEquals(3, permisssions.size());
+ assertEquals(2, permisssions.size());
assertTrue(permisssions.contains(1));
- assertTrue(permisssions.contains(2));
assertTrue(permisssions.contains(3));
- assertFalse(permisssions.contains(4));
+ assertFalse(permisssions.contains(2));
} catch (AuthException e) {
e.printStackTrace();
fail(e.getMessage());