You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@iotdb.apache.org by qi...@apache.org on 2022/08/14 02:30:33 UTC
[iotdb] branch rel/0.13 updated: [TO rel/0.13] [IOTDB-4018] The path in the permissions contains wildcards * and ** path adaptation does not work (#6861)
This is an automated email from the ASF dual-hosted git repository.
qiaojialin pushed a commit to branch rel/0.13
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/rel/0.13 by this push:
new 9348457efb [TO rel/0.13] [IOTDB-4018] The path in the permissions contains wildcards * and ** path adaptation does not work (#6861)
9348457efb is described below
commit 9348457efb98b4b4cf7667de1204a6aeefe1f9ee
Author: 任宇华 <79...@users.noreply.github.com>
AuthorDate: Sun Aug 14 10:30:28 2022 +0800
[TO rel/0.13] [IOTDB-4018] The path in the permissions contains wildcards * and ** path adaptation does not work (#6861)
---
.../Administration-Management/Administration.md | 46 +++---
.../Administration-Management/Administration.md | 44 ++++--
.../iotdb/db/integration/IoTDBAuthorizationIT.java | 167 +++++++++++++++------
.../org/apache/iotdb/db/auth/AuthorityChecker.java | 4 +-
.../iotdb/db/auth/authorizer/BasicAuthorizer.java | 9 +-
.../java/org/apache/iotdb/db/auth/entity/Role.java | 5 +-
.../java/org/apache/iotdb/db/auth/entity/User.java | 5 +-
.../java/org/apache/iotdb/db/utils/AuthUtils.java | 31 ++--
8 files changed, 206 insertions(+), 105 deletions(-)
diff --git a/docs/UserGuide/Administration-Management/Administration.md b/docs/UserGuide/Administration-Management/Administration.md
index b2d25737bf..ba1f4cdfc1 100644
--- a/docs/UserGuide/Administration-Management/Administration.md
+++ b/docs/UserGuide/Administration-Management/Administration.md
@@ -34,7 +34,7 @@ The user is the legal user of the database. A user corresponds to a unique usern
### Privilege
-The database provides a variety of operations, and not all users can perform all operations. If a user can perform an operation, the user is said to have the privilege to perform the operation. privileges are divided into data management privilege (such as adding, deleting and modifying data) and authority management privilege (such as creation and deletion of users and roles, granting and revoking of privileges, etc.). Data management privilege often needs a path to limit its effective [...]
+The database provides a variety of operations, and not all users can perform all operations. If a user can perform an operation, the user is said to have the privilege to perform the operation. privileges are divided into data management privilege (such as adding, deleting and modifying data) and authority management privilege (such as creation and deletion of users and roles, granting and revoking of privileges, etc.). Data management privilege often needs a path to limit its effective [...]
### Role
@@ -50,7 +50,7 @@ According to the [sample data](https://github.com/thulab/iotdb/files/4438687/Oth
### Create User
-We use `CREATE USER <userName> <password>` to create users. For example, we can create two users for ln and sgcc groups, named ln\_write\_user and sgcc\_write\_user, with both passwords being write\_pwd. The SQL statement is:
+We use `CREATE USER <userName> <password>` to create users. For example, we can use root user who has all privileges to create two users for ln and sgcc groups, named ln\_write\_user and sgcc\_write\_user, with both passwords being write\_pwd. The SQL statement is:
```
CREATE USER ln_write_user 'write_pwd'
@@ -88,42 +88,46 @@ The SQL statement will not be executed and the corresponding error prompt is giv
Msg: 602: No permissions for this operation INSERT
```
-Now, we grant the two users write privileges to the corresponding storage groups, and try to write data again.
+Now, we use root user to grant the two users write privileges to the corresponding storage groups.
We use `GRANT USER <userName> PRIVILEGES <privileges> ON <nodeName>` to grant user privileges. For example:
```
-GRANT USER ln_write_user PRIVILEGES INSERT_TIMESERIES on root.ln
-GRANT USER sgcc_write_user PRIVILEGES INSERT_TIMESERIES on root.sgcc
+GRANT USER ln_write_user PRIVILEGES INSERT_TIMESERIES on root.ln.**
+GRANT USER sgcc_write_user PRIVILEGES INSERT_TIMESERIES on root.sgcc.**
INSERT INTO root.ln.wf01.wt01(timestamp, status) values(1509465600000, true)
```
The execution result is as follows:
```
-IoTDB> GRANT USER ln_write_user PRIVILEGES INSERT_TIMESERIES on root.ln
+IoTDB> GRANT USER ln_write_user PRIVILEGES INSERT_TIMESERIES on root.ln.**
Msg: The statement is executed successfully.
-IoTDB> GRANT USER sgcc_write_user PRIVILEGES INSERT_TIMESERIES on root.sgcc
+IoTDB> GRANT USER sgcc_write_user PRIVILEGES INSERT_TIMESERIES on root.sgcc.**
Msg: The statement is executed successfully.
+```
+
+Next, use ln_write_user to try to write data again.
+```
IoTDB> INSERT INTO root.ln.wf01.wt01(timestamp, status) values(1509465600000, true)
Msg: The statement is executed successfully.
```
### Revoker User Privilege
-After granting user privileges, we could use `REVOKE USER <userName> PRIVILEGES <privileges> ON <nodeName>` to revoke the granted user privileges. For example:
+After granting user privileges, we could use `REVOKE USER <userName> PRIVILEGES <privileges> ON <nodeName>` to revoke the granted user privileges. For example, use root user to revoke the privilege of ln_write_user and sgcc_write_user:
```
-REVOKE USER ln_write_user PRIVILEGES INSERT_TIMESERIES on root.ln
-REVOKE USER sgcc_write_user PRIVILEGES INSERT_TIMESERIES on root.sgcc
+REVOKE USER ln_write_user PRIVILEGES INSERT_TIMESERIES on root.ln.**
+REVOKE USER sgcc_write_user PRIVILEGES INSERT_TIMESERIES on root.sgcc.**
INSERT INTO root.ln.wf01.wt01(timestamp, status) values(1509465600000, true)
```
The execution result is as follows:
```
-REVOKE USER ln_write_user PRIVILEGES INSERT_TIMESERIES on root.ln
+REVOKE USER ln_write_user PRIVILEGES INSERT_TIMESERIES on root.ln.**
Msg: The statement is executed successfully.
-REVOKE USER sgcc_write_user PRIVILEGES INSERT_TIMESERIES on root.sgcc
+REVOKE USER sgcc_write_user PRIVILEGES INSERT_TIMESERIES on root.sgcc.**
Msg: The statement is executed successfully.
INSERT INTO root.ln.wf01.wt01(timestamp, status) values(1509465600000, true)
Msg: 602: No permissions for this operation INSERT
@@ -165,14 +169,14 @@ Eg: IoTDB > DROP ROLE admin;
```
GRANT USER <userName> PRIVILEGES <privileges> ON <nodeName>;
-Eg: IoTDB > GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES on root.ln;
+Eg: IoTDB > GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES on root.ln.**;
```
* Grant Role Privileges
```
GRANT ROLE <roleName> PRIVILEGES <privileges> ON <nodeName>;
-Eg: IoTDB > GRANT ROLE temprole PRIVILEGES DELETE_TIMESERIES ON root.ln;
+Eg: IoTDB > GRANT ROLE temprole PRIVILEGES DELETE_TIMESERIES ON root.ln.**;
```
* Grant User Role
@@ -186,14 +190,14 @@ Eg: IoTDB > GRANT temprole TO tempuser;
```
REVOKE USER <userName> PRIVILEGES <privileges> ON <nodeName>;
-Eg: IoTDB > REVOKE USER tempuser PRIVILEGES DELETE_TIMESERIES on root.ln;
+Eg: IoTDB > REVOKE USER tempuser PRIVILEGES DELETE_TIMESERIES on root.ln.**;
```
* Revoke Role Privileges
```
REVOKE ROLE <roleName> PRIVILEGES <privileges> ON <nodeName>;
-Eg: IoTDB > REVOKE ROLE temprole PRIVILEGES DELETE_TIMESERIES ON root.ln;
+Eg: IoTDB > REVOKE ROLE temprole PRIVILEGES DELETE_TIMESERIES ON root.ln.**;
```
* Revoke Role From User
@@ -221,7 +225,7 @@ Eg: IoTDB > LIST ROLE
```
LIST PRIVILEGES USER <username> ON <path>;
-Eg: IoTDB > LIST PRIVILEGES USER sgcc_wirte_user ON root.sgcc;
+Eg: IoTDB > LIST PRIVILEGES USER sgcc_wirte_user ON root.sgcc.**;
```
* List Privileges of Roles
@@ -235,7 +239,7 @@ Eg: IoTDB > LIST ROLE PRIVILEGES actor;
```
LIST PRIVILEGES ROLE <roleName> ON <path>;
-Eg: IoTDB > LIST PRIVILEGES ROLE wirte_role ON root.sgcc;
+Eg: IoTDB > LIST PRIVILEGES ROLE wirte_role ON root.sgcc.**;
```
* List Privileges of Users
@@ -325,3 +329,9 @@ IoTDB specifies that the character length of a password should have no less than
### Role Name Restrictions
IoTDB specifies that the character length of a role name should have no less than 4 character length, and no spaces.
+### Path pattern in Administration Management
+
+A path pattern's result set contains all the elements of its sub pattern's
+result set. For example, `root.sg.d.*` is a sub pattern of
+`root.sg.*.*`, while `root.sg.**` is not a sub pattern of
+`root.sg.*.*`. When a user is granted privilege on a pattern, the pattern used in his DDL or DML must be a sub pattern of the privilege pattern, which guarantees that the user won't access the timeseries exceed his privilege scope.
\ No newline at end of file
diff --git a/docs/zh/UserGuide/Administration-Management/Administration.md b/docs/zh/UserGuide/Administration-Management/Administration.md
index 412452bd67..cbfac03b05 100644
--- a/docs/zh/UserGuide/Administration-Management/Administration.md
+++ b/docs/zh/UserGuide/Administration-Management/Administration.md
@@ -33,7 +33,7 @@ IoTDB 为用户提供了权限管理操作,从而为用户提供对于数据
### 权限
-数据库提供多种操作,并不是所有的用户都能执行所有操作。如果一个用户可以执行某项操作,则称该用户有执行该操作的权限。权限可分为数据管理权限(如对数据进行增删改查)以及权限管理权限(用户、角色的创建与删除,权限的赋予与撤销等)。数据管理权限往往需要一个路径来限定其生效范围,它的生效范围是以该路径对应的节点为根的一棵子树(具体请参考 IoTDB 的数据组织)。
+数据库提供多种操作,并不是所有的用户都能执行所有操作。如果一个用户可以执行某项操作,则称该用户有执行该操作的权限。权限可分为数据管理权限(如对数据进行增删改查)以及权限管理权限(用户、角色的创建与删除,权限的赋予与撤销等)。数据管理权限往往需要一个路径来限定其生效范围,可使用[路径模式](../Data-Concept/Data-Model-and-Terminology.md)灵活管理权限。
### 角色
@@ -49,7 +49,7 @@ IoTDB 为用户提供了权限管理操作,从而为用户提供对于数据
### 创建用户
-使用 `CREATE USER <userName> <password>` 创建用户。我们可以为 ln 和 sgcc 集团创建两个用户角色,名为 ln_write_user, sgcc_write_user,密码均为 write_pwd。SQL 语句为:
+使用 `CREATE USER <userName> <password>` 创建用户。例如,我们可以使用具有所有权限的root用户为 ln 和 sgcc 集团创建两个用户角色,名为 ln_write_user, sgcc_write_user,密码均为 write_pwd。SQL 语句为:
```
CREATE USER ln_write_user 'write_pwd'
@@ -94,9 +94,9 @@ INSERT INTO root.ln.wf01.wt01(timestamp,status) values(1509465600000,true)
Msg: 602: No permissions for this operation INSERT
```
-现在,我们分别赋予他们向对应存储组数据的写入权限,并再次尝试向对应的存储组进行数据写入。
+现在,我们用root用户分别赋予他们向对应存储组数据的写入权限.
-我们 `GRANT USER <userName> PRIVILEGES <privileges> ON <nodeName>` 语句赋予用户权限,例如:
+我们使用 `GRANT USER <userName> PRIVILEGES <privileges> ON <nodeName>` 语句赋予用户权限,例如:
```
GRANT USER ln_write_user PRIVILEGES INSERT_TIMESERIES on root.ln
GRANT USER sgcc_write_user PRIVILEGES INSERT_TIMESERIES on root.sgcc
@@ -105,10 +105,14 @@ INSERT INTO root.ln.wf01.wt01(timestamp, status) values(1509465600000, true)
执行状态如下所示:
```
-IoTDB> GRANT USER ln_write_user PRIVILEGES INSERT_TIMESERIES on root.ln
+IoTDB> GRANT USER ln_write_user PRIVILEGES INSERT_TIMESERIES on root.ln.**
Msg: The statement is executed successfully.
-IoTDB> GRANT USER sgcc_write_user PRIVILEGES INSERT_TIMESERIES on root.sgcc
+IoTDB> GRANT USER sgcc_write_user PRIVILEGES INSERT_TIMESERIES on root.sgcc.**
Msg: The statement is executed successfully.
+```
+
+接着使用ln_write_user再尝试写入数据
+```
IoTDB> INSERT INTO root.ln.wf01.wt01(timestamp, status) values(1509465600000, true)
Msg: The statement is executed successfully.
```
@@ -118,18 +122,22 @@ Msg: The statement is executed successfully.
授予用户权限后,我们可以使用 `REVOKE USER <userName> PRIVILEGES <privileges> ON <nodeName>` 来撤销已授予的用户权限。 例如:
```
-REVOKE USER ln_write_user PRIVILEGES INSERT_TIMESERIES on root.ln
-REVOKE USER sgcc_write_user PRIVILEGES INSERT_TIMESERIES on root.sgcc
+REVOKE USER ln_write_user PRIVILEGES INSERT_TIMESERIES on root.ln.**
+REVOKE USER sgcc_write_user PRIVILEGES INSERT_TIMESERIES on root.sgcc.**
INSERT INTO root.ln.wf01.wt01(timestamp, status) values(1509465600000, true)
```
执行状态如下所示:
```
-REVOKE USER ln_write_user PRIVILEGES INSERT_TIMESERIES on root.ln
+REVOKE USER ln_write_user PRIVILEGES INSERT_TIMESERIES on root.ln.**
Msg: The statement is executed successfully.
-REVOKE USER sgcc_write_user PRIVILEGES INSERT_TIMESERIES on root.sgcc
+REVOKE USER sgcc_write_user PRIVILEGES INSERT_TIMESERIES on root.sgcc.**
Msg: The statement is executed successfully.
+```
+
+撤销权限后,ln_write_user就没有向root.ln.**写入数据的权限了。
+```
INSERT INTO root.ln.wf01.wt01(timestamp, status) values(1509465600000, true)
Msg: 602: No permissions for this operation INSERT
```
@@ -170,14 +178,14 @@ Eg: IoTDB > DROP ROLE admin;
```
GRANT USER <userName> PRIVILEGES <privileges> ON <nodeName>;
-Eg: IoTDB > GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES on root.ln;
+Eg: IoTDB > GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES on root.ln.**;
```
* 赋予角色权限
```
GRANT ROLE <roleName> PRIVILEGES <privileges> ON <nodeName>;
-Eg: IoTDB > GRANT ROLE temprole PRIVILEGES DELETE_TIMESERIES ON root.ln;
+Eg: IoTDB > GRANT ROLE temprole PRIVILEGES DELETE_TIMESERIES ON root.ln.**;
```
* 赋予用户角色
@@ -191,14 +199,14 @@ Eg: IoTDB > GRANT temprole TO tempuser;
```
REVOKE USER <userName> PRIVILEGES <privileges> ON <nodeName>;
-Eg: IoTDB > REVOKE USER tempuser PRIVILEGES DELETE_TIMESERIES on root.ln;
+Eg: IoTDB > REVOKE USER tempuser PRIVILEGES DELETE_TIMESERIES on root.ln.**;
```
* 撤销角色权限
```
REVOKE ROLE <roleName> PRIVILEGES <privileges> ON <nodeName>;
-Eg: IoTDB > REVOKE ROLE temprole PRIVILEGES DELETE_TIMESERIES ON root.ln;
+Eg: IoTDB > REVOKE ROLE temprole PRIVILEGES DELETE_TIMESERIES ON root.ln.**;
```
* 撤销用户角色
@@ -226,7 +234,7 @@ Eg: IoTDB > LIST ROLE
```
LIST PRIVILEGES USER <username> ON <path>;
-Eg: IoTDB > LIST PRIVILEGES USER sgcc_wirte_user ON root.sgcc;
+Eg: IoTDB > LIST PRIVILEGES USER sgcc_wirte_user ON root.sgcc.**;
```
* 列出角色权限
@@ -240,7 +248,7 @@ Eg: IoTDB > LIST ROLE PRIVILEGES actor;
```
LIST PRIVILEGES ROLE <roleName> ON <path>;
-Eg: IoTDB > LIST PRIVILEGES ROLE wirte_role ON root.sgcc;
+Eg: IoTDB > LIST PRIVILEGES ROLE wirte_role ON root.sgcc.**;
```
* 列出用户权限
@@ -332,3 +340,7 @@ IoTDB 规定密码的字符长度不小于 4,其中密码不能包含空格,
### 角色名限制
IoTDB 规定角色名的字符长度不小于 4,其中角色名不能包含空格。
+
+### 权限管理中的路径模式
+
+一个路径模式的结果集包含了它的子模式的结果集的所有元素。例如,`root.sg.d.*`是`root.sg.*.*`的子模式,而`root.sg.**`不是`root.sg.*.*`的子模式。当用户被授予对某个路径模式的权限时,在他的DDL或DML中使用的模式必须是该路径模式的子模式,这保证了用户访问时间序列时不会超出他的权限范围。
\ No newline at end of file
diff --git a/integration/src/test/java/org/apache/iotdb/db/integration/IoTDBAuthorizationIT.java b/integration/src/test/java/org/apache/iotdb/db/integration/IoTDBAuthorizationIT.java
index 1d82f335e9..dd5f3f39ef 100644
--- a/integration/src/test/java/org/apache/iotdb/db/integration/IoTDBAuthorizationIT.java
+++ b/integration/src/test/java/org/apache/iotdb/db/integration/IoTDBAuthorizationIT.java
@@ -104,23 +104,23 @@ public class IoTDBAuthorizationIT {
caught = false;
try {
- userStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_TIMESERIES ON root.a");
+ userStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_TIMESERIES ON root.a.**");
} catch (SQLException e) {
caught = true;
}
assertTrue(caught);
- adminStmt.execute("GRANT USER tempuser PRIVILEGES ALL ON root");
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES ALL ON root.**");
userStmt.execute("SET STORAGE GROUP TO root.a");
userStmt.execute("CREATE TIMESERIES root.a.b WITH DATATYPE=INT32,ENCODING=PLAIN");
userStmt.execute("INSERT INTO root.a(timestamp, b) VALUES (100, 100)");
userStmt.execute("SELECT * from root.a");
- userStmt.execute("GRANT USER tempuser PRIVILEGES SET_STORAGE_GROUP ON root.a");
- userStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_TIMESERIES ON root.b.b");
+ userStmt.execute("GRANT USER tempuser PRIVILEGES SET_STORAGE_GROUP ON root.a.**");
+ userStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_TIMESERIES ON root.b.b.**");
- adminStmt.execute("REVOKE USER tempuser PRIVILEGES ALL ON root");
- adminStmt.execute("REVOKE USER tempuser PRIVILEGES CREATE_TIMESERIES ON root.b.b");
+ adminStmt.execute("REVOKE USER tempuser PRIVILEGES ALL ON root.**");
+ adminStmt.execute("REVOKE USER tempuser PRIVILEGES CREATE_TIMESERIES ON root.b.b.**");
caught = false;
try {
@@ -160,7 +160,7 @@ public class IoTDBAuthorizationIT {
caught = false;
try {
- userStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_TIMESERIES ON root.a");
+ userStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_TIMESERIES ON root.a.**");
} catch (SQLException e) {
caught = true;
}
@@ -414,7 +414,7 @@ public class IoTDBAuthorizationIT {
// grant a non-existing user
boolean caught = false;
try {
- adminStmt.execute("GRANT USER nulluser PRIVILEGES SET_STORAGE_GROUP on root.a");
+ adminStmt.execute("GRANT USER nulluser PRIVILEGES SET_STORAGE_GROUP on root.a.**");
} catch (SQLException e) {
caught = true;
}
@@ -423,26 +423,26 @@ public class IoTDBAuthorizationIT {
// grant a non-existing privilege
caught = false;
try {
- adminStmt.execute("GRANT USER tempuser PRIVILEGES NOT_A_PRIVILEGE on root.a");
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES NOT_A_PRIVILEGE on root.a.**");
} catch (SQLException e) {
caught = true;
}
assertTrue(caught);
// duplicate grant
- adminStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_USER on root.a");
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_USER on root.a.**");
caught = false;
try {
- adminStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_USER on root.a");
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_USER on root.a.**");
} catch (SQLException e) {
caught = true;
}
assertTrue(caught);
- // grant on a illegal seriesPath
+ // grant on an illegal seriesPath
caught = false;
try {
- adminStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES on a.b");
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES on a.b.**");
} catch (SQLException e) {
caught = true;
}
@@ -451,7 +451,7 @@ public class IoTDBAuthorizationIT {
// grant admin
caught = false;
try {
- adminStmt.execute("GRANT USER root PRIVILEGES DELETE_TIMESERIES on root.a.b");
+ adminStmt.execute("GRANT USER root PRIVILEGES DELETE_TIMESERIES on root.a.b.**");
} catch (SQLException e) {
caught = true;
}
@@ -460,17 +460,17 @@ public class IoTDBAuthorizationIT {
// no privilege to grant
caught = false;
try {
- userStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES on root.a.b");
+ userStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES on root.a.b.**");
} catch (SQLException e) {
caught = true;
}
assertTrue(caught);
// revoke a non-existing privilege
- adminStmt.execute("REVOKE USER tempuser PRIVILEGES CREATE_USER on root.a");
+ adminStmt.execute("REVOKE USER tempuser PRIVILEGES CREATE_USER on root.a.**");
caught = false;
try {
- adminStmt.execute("REVOKE USER tempuser PRIVILEGES CREATE_USER on root.a");
+ adminStmt.execute("REVOKE USER tempuser PRIVILEGES CREATE_USER on root.a.**");
} catch (SQLException e) {
caught = true;
}
@@ -479,16 +479,16 @@ public class IoTDBAuthorizationIT {
// revoke a non-existing user
caught = false;
try {
- adminStmt.execute("REVOKE USER tempuser1 PRIVILEGES CREATE_USER on root.a");
+ adminStmt.execute("REVOKE USER tempuser1 PRIVILEGES CREATE_USER on root.a.**");
} catch (SQLException e) {
caught = true;
}
assertTrue(caught);
- // revoke on a illegal seriesPath
+ // revoke on an illegal seriesPath
caught = false;
try {
- adminStmt.execute("REVOKE USER tempuser PRIVILEGES DELETE_TIMESERIES on a.b");
+ adminStmt.execute("REVOKE USER tempuser PRIVILEGES DELETE_TIMESERIES on a.b.**");
} catch (SQLException e) {
caught = true;
}
@@ -497,7 +497,7 @@ public class IoTDBAuthorizationIT {
// revoke admin
caught = false;
try {
- adminStmt.execute("REVOKE USER root PRIVILEGES DELETE_TIMESERIES on root.a.b");
+ adminStmt.execute("REVOKE USER root PRIVILEGES DELETE_TIMESERIES on root.a.b.**");
} catch (SQLException e) {
caught = true;
}
@@ -506,7 +506,7 @@ public class IoTDBAuthorizationIT {
// no privilege to revoke
caught = false;
try {
- userStmt.execute("REVOKE USER tempuser PRIVILEGES DELETE_TIMESERIES on root.a.b");
+ userStmt.execute("REVOKE USER tempuser PRIVILEGES DELETE_TIMESERIES on root.a.b.**");
} catch (SQLException e) {
caught = true;
}
@@ -515,24 +515,24 @@ public class IoTDBAuthorizationIT {
// grant privilege to grant
caught = false;
try {
- userStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES on root.a.b");
+ userStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES on root.a.b.**");
} catch (SQLException e) {
caught = true;
}
assertTrue(caught);
- adminStmt.execute("GRANT USER tempuser PRIVILEGES GRANT_USER_PRIVILEGE on root");
- userStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES on root");
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES GRANT_USER_PRIVILEGE on root.**");
+ userStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES on root.**");
// grant privilege to revoke
caught = false;
try {
- userStmt.execute("REVOKE USER tempuser PRIVILEGES DELETE_TIMESERIES on root");
+ userStmt.execute("REVOKE USER tempuser PRIVILEGES DELETE_TIMESERIES on root.**");
} catch (SQLException e) {
caught = true;
}
assertTrue(caught);
- adminStmt.execute("GRANT USER tempuser PRIVILEGES REVOKE_USER_PRIVILEGE on root");
- userStmt.execute("REVOKE USER tempuser PRIVILEGES DELETE_TIMESERIES on root");
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES REVOKE_USER_PRIVILEGE on root.**");
+ userStmt.execute("REVOKE USER tempuser PRIVILEGES DELETE_TIMESERIES on root.**");
}
}
}
@@ -633,15 +633,15 @@ public class IoTDBAuthorizationIT {
assertTrue(caught);
// the user can delete the timeseries now
- adminStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES on root.a");
- adminStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES on root.b");
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES on root.a.*");
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES on root.b.*");
userStmt.execute("DELETE TIMESERIES root.a.b");
// revoke the privilege to delete time series
adminStmt.execute("CREATE TIMESERIES root.a.b WITH DATATYPE=INT32,ENCODING=PLAIN");
adminStmt.execute("SET STORAGE GROUP TO root.b");
adminStmt.execute("CREATE TIMESERIES root.b.a WITH DATATYPE=INT32,ENCODING=PLAIN");
- adminStmt.execute("REVOKE USER tempuser PRIVILEGES DELETE_TIMESERIES on root.a");
+ adminStmt.execute("REVOKE USER tempuser PRIVILEGES DELETE_TIMESERIES on root.a.*");
userStmt.execute("DELETE TIMESERIES root.b.a");
caught = false;
try {
@@ -682,11 +682,11 @@ public class IoTDBAuthorizationIT {
caught = true;
}
assertTrue(caught);
- adminStmt.execute("GRANT USER tempuser PRIVILEGES INSERT_TIMESERIES on root.a");
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES INSERT_TIMESERIES on root.a.*");
userStmt.execute("INSERT INTO root.a(timestamp, b) VALUES (1,100)");
// revoke privilege to insert
- adminStmt.execute("REVOKE USER tempuser PRIVILEGES INSERT_TIMESERIES on root.a");
+ adminStmt.execute("REVOKE USER tempuser PRIVILEGES INSERT_TIMESERIES on root.a.*");
caught = false;
try {
userStmt.execute("INSERT INTO root.a(timestamp, b) VALUES (1,100)");
@@ -703,14 +703,14 @@ public class IoTDBAuthorizationIT {
caught = true;
}
assertTrue(caught);
- adminStmt.execute("GRANT USER tempuser PRIVILEGES READ_TIMESERIES on root.a");
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES READ_TIMESERIES on root.a.*");
userStmt.execute("SELECT * from root.a");
userStmt.getResultSet().close();
userStmt.execute("SELECT LAST b from root.a");
userStmt.getResultSet().close();
// revoke privilege to query
- adminStmt.execute("REVOKE USER tempuser PRIVILEGES READ_TIMESERIES on root.a");
+ adminStmt.execute("REVOKE USER tempuser PRIVILEGES READ_TIMESERIES on root.a.*");
caught = false;
try {
userStmt.execute("SELECT * from root.a");
@@ -745,7 +745,7 @@ public class IoTDBAuthorizationIT {
assertTrue(caught);
adminStmt.execute("CREATE ROLE admin");
adminStmt.execute(
- "GRANT ROLE admin PRIVILEGES SET_STORAGE_GROUP,CREATE_TIMESERIES,DELETE_TIMESERIES,READ_TIMESERIES,INSERT_TIMESERIES on root");
+ "GRANT ROLE admin PRIVILEGES SET_STORAGE_GROUP,CREATE_TIMESERIES,DELETE_TIMESERIES,READ_TIMESERIES,INSERT_TIMESERIES on root.**");
adminStmt.execute("GRANT admin TO tempuser");
userStmt.execute("SET STORAGE GROUP TO root.a");
@@ -756,7 +756,7 @@ public class IoTDBAuthorizationIT {
userStmt.execute("SELECT * FROM root.**");
userStmt.getResultSet().close();
- adminStmt.execute("REVOKE ROLE admin PRIVILEGES DELETE_TIMESERIES on root");
+ adminStmt.execute("REVOKE ROLE admin PRIVILEGES DELETE_TIMESERIES on root.**");
caught = false;
try {
userStmt.execute("DELETE FROM root.* WHERE TIME <= 1000000000");
@@ -765,7 +765,7 @@ public class IoTDBAuthorizationIT {
}
assertTrue(caught);
- adminStmt.execute("GRANT USER tempuser PRIVILEGES READ_TIMESERIES on root");
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES READ_TIMESERIES on root.**");
adminStmt.execute("REVOKE admin FROM tempuser");
userStmt.execute("SELECT * FROM root.**");
userStmt.getResultSet().close();
@@ -939,36 +939,100 @@ public class IoTDBAuthorizationIT {
adminStmt.execute("CREATE ROLE role1");
adminStmt.execute(
"GRANT ROLE role1 PRIVILEGES READ_TIMESERIES,INSERT_TIMESERIES,DELETE_TIMESERIES ON root.a.b.c");
+ adminStmt.execute(
+ "GRANT ROLE role1 PRIVILEGES READ_TIMESERIES,INSERT_TIMESERIES,DELETE_TIMESERIES ON root.b.*.*");
+ adminStmt.execute(
+ "GRANT ROLE role1 PRIVILEGES READ_TIMESERIES,INSERT_TIMESERIES,DELETE_TIMESERIES ON root.c.**");
adminStmt.execute(
"GRANT ROLE role1 PRIVILEGES READ_TIMESERIES,INSERT_TIMESERIES,DELETE_TIMESERIES ON root.d.b.c");
+ adminStmt.execute(
+ "GRANT ROLE role1 PRIVILEGES READ_TIMESERIES,INSERT_TIMESERIES,DELETE_TIMESERIES ON root.e.*.*.f");
+ adminStmt.execute(
+ "GRANT ROLE role1 PRIVILEGES READ_TIMESERIES,INSERT_TIMESERIES,DELETE_TIMESERIES ON root.f.**.g");
+ adminStmt.execute(
+ "GRANT ROLE role1 PRIVILEGES READ_TIMESERIES,INSERT_TIMESERIES,DELETE_TIMESERIES ON root.g.*.h.*");
+ adminStmt.execute(
+ "GRANT ROLE role1 PRIVILEGES READ_TIMESERIES,INSERT_TIMESERIES,DELETE_TIMESERIES ON root.h.**.i.**");
+ adminStmt.execute(
+ "GRANT ROLE role1 PRIVILEGES READ_TIMESERIES,INSERT_TIMESERIES,DELETE_TIMESERIES ON root.i.*.j.**");
+ adminStmt.execute(
+ "GRANT ROLE role1 PRIVILEGES READ_TIMESERIES,INSERT_TIMESERIES,DELETE_TIMESERIES ON root.j.**.k.*");
adminStmt.execute("GRANT role1 TO user1");
- ResultSet resultSet = adminStmt.executeQuery("LIST USER PRIVILEGES user1");
+ ResultSet resultSet = adminStmt.executeQuery("LIST USER PRIVILEGES user1");
String ans =
",root.a.b : READ_TIMESERIES"
+ ",\n"
+ "role1,root.a.b.c : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES"
+ ",\n"
+ + "role1,root.b.*.* : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES"
+ + ",\n"
+ + "role1,root.c.** : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES"
+ + ",\n"
+ "role1,root.d.b.c : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES"
+ + ",\n"
+ + "role1,root.e.*.*.f : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES"
+ + ",\n"
+ + "role1,root.f.**.g : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES"
+ + ",\n"
+ + "role1,root.g.*.h.* : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES"
+ + ",\n"
+ + "role1,root.h.**.i.** : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES"
+ + ",\n"
+ + "role1,root.i.*.j.** : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES"
+ + ",\n"
+ + "role1,root.j.**.k.* : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES"
+ ",\n";
try {
validateResultSet(resultSet, ans);
+ resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1 ON root.a.b");
+ ans = ",root.a.b : READ_TIMESERIES,\n";
+ validateResultSet(resultSet, ans);
+
resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1 ON root.a.b.c");
- ans =
- ",root.a.b : READ_TIMESERIES"
- + ",\n"
- + "role1,root.a.b.c : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES"
- + ",\n";
+ ans = "role1,root.a.b.c : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES,\n";
+ validateResultSet(resultSet, ans);
+
+ resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1 ON root.b.x1.x2");
+ ans = "role1,root.b.*.* : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES,\n";
+ validateResultSet(resultSet, ans);
+
+ resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1 ON root.c.d.e");
+ ans = "role1,root.c.** : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES,\n";
+ validateResultSet(resultSet, ans);
+
+ resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1 ON root.e.x1.x2.f");
+ ans = "role1,root.e.*.*.f : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES,\n";
+ validateResultSet(resultSet, ans);
+
+ resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1 ON root.f.x1.x2.g");
+ ans = "role1,root.f.**.g : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES,\n";
+ validateResultSet(resultSet, ans);
+
+ resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1 ON root.g.x1.h.x2");
+ ans = "role1,root.g.*.h.* : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES,\n";
+ validateResultSet(resultSet, ans);
+
+ resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1 ON root.h.x1.x2.i.x3.x4");
+ ans = "role1,root.h.**.i.** : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES,\n";
+ validateResultSet(resultSet, ans);
+
+ resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1 ON root.i.x1.j.x2.x3");
+ ans = "role1,root.i.*.j.** : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES,\n";
+ validateResultSet(resultSet, ans);
+
+ resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1 ON root.j.x1.x2.k.x3");
+ ans = "role1,root.j.**.k.* : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES,\n";
validateResultSet(resultSet, ans);
adminStmt.execute("REVOKE role1 from user1");
- resultSet = adminStmt.executeQuery("LIST USER PRIVILEGES user1");
+ resultSet = adminStmt.executeQuery("LIST USER PRIVILEGES user1");
ans = ",root.a.b : READ_TIMESERIES,\n";
validateResultSet(resultSet, ans);
- resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1 ON root.a.b.c");
+ resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1 ON root.a.b");
ans = ",root.a.b : READ_TIMESERIES,\n";
validateResultSet(resultSet, ans);
} finally {
@@ -999,6 +1063,7 @@ public class IoTDBAuthorizationIT {
"GRANT ROLE role1 PRIVILEGES READ_TIMESERIES,INSERT_TIMESERIES,DELETE_TIMESERIES ON root.a.b.c");
adminStmt.execute(
"GRANT ROLE role1 PRIVILEGES READ_TIMESERIES,INSERT_TIMESERIES,DELETE_TIMESERIES ON root.d.b.c");
+
resultSet = adminStmt.executeQuery("LIST ROLE PRIVILEGES role1");
ans =
"root.a.b.c : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES,\n"
@@ -1156,6 +1221,7 @@ public class IoTDBAuthorizationIT {
}
builder.append("\n");
}
+ final String s = builder.toString();
assertEquals(ans, builder.toString());
} finally {
set.close();
@@ -1186,7 +1252,7 @@ public class IoTDBAuthorizationIT {
validateResultSet(resultSet, ans);
// with list user privilege
- adminStmt.execute("GRANT USER tempuser PRIVILEGES LIST_USER ON root");
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES LIST_USER ON root.**");
resultSet = userStmt.executeQuery("LIST USER");
ans =
"root,\n"
@@ -1247,7 +1313,7 @@ public class IoTDBAuthorizationIT {
Config.IOTDB_URL_PREFIX + "127.0.0.1:6667/", "root", "root");
Statement adminStmt = adminCon.createStatement()) {
adminStmt.execute("CREATE USER tempuser 'temppw'");
- adminStmt.execute("GRANT USER tempuser PRIVILEGES INSERT_TIMESERIES on root.sg1");
+ adminStmt.execute("GRANT USER tempuser PRIVILEGES INSERT_TIMESERIES on root.sg1.**");
try (Connection userCon =
DriverManager.getConnection(
@@ -1294,7 +1360,8 @@ public class IoTDBAuthorizationIT {
Statement adminStatement = adminConnection.createStatement()) {
adminStatement.execute("CREATE USER a_application 'a_application'");
adminStatement.execute("CREATE ROLE application_role");
- adminStatement.execute("GRANT ROLE application_role PRIVILEGES READ_TIMESERIES ON root.test");
+ adminStatement.execute(
+ "GRANT ROLE application_role PRIVILEGES READ_TIMESERIES ON root.test.**");
adminStatement.execute("GRANT application_role TO a_application");
adminStatement.execute("INSERT INTO root.test(time, s1, s2, s3) VALUES(1, 2, 3, 4)");
@@ -1319,7 +1386,7 @@ public class IoTDBAuthorizationIT {
Config.IOTDB_URL_PREFIX + "127.0.0.1:6667/", "root", "root");
Statement adminStatement = adminConnection.createStatement()) {
adminStatement.execute("CREATE USER a_application 'a_application'");
- adminStatement.execute("GRANT USER a_application PRIVILEGES READ_TIMESERIES on root.ln;");
+ adminStatement.execute("GRANT USER a_application PRIVILEGES READ_TIMESERIES on root.ln.**;");
adminStatement.execute("INSERT INTO root.ln.wt01.wf01(time, s1) VALUES(1, 2)");
}
diff --git a/server/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java b/server/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
index 154e523d9b..ca590b5d82 100644
--- a/server/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
+++ b/server/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
@@ -21,10 +21,10 @@ package org.apache.iotdb.db.auth;
import org.apache.iotdb.db.auth.authorizer.BasicAuthorizer;
import org.apache.iotdb.db.auth.authorizer.IAuthorizer;
import org.apache.iotdb.db.auth.entity.PrivilegeType;
-import org.apache.iotdb.db.conf.IoTDBConstant;
import org.apache.iotdb.db.conf.IoTDBDescriptor;
import org.apache.iotdb.db.metadata.path.PartialPath;
import org.apache.iotdb.db.qp.logical.Operator;
+import org.apache.iotdb.db.utils.AuthUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -83,7 +83,7 @@ public class AuthorityChecker {
throws AuthException {
IAuthorizer authorizer = BasicAuthorizer.getInstance();
try {
- String fullPath = path == null ? IoTDBConstant.PATH_ROOT : path.getFullPath();
+ String fullPath = path == null ? AuthUtils.ROOT_PATH_PRIVILEGE : path.getFullPath();
if (authorizer.checkUserPrivileges(username, fullPath, permission)) {
return true;
}
diff --git a/server/src/main/java/org/apache/iotdb/db/auth/authorizer/BasicAuthorizer.java b/server/src/main/java/org/apache/iotdb/db/auth/authorizer/BasicAuthorizer.java
index 23af06c395..45f3626348 100644
--- a/server/src/main/java/org/apache/iotdb/db/auth/authorizer/BasicAuthorizer.java
+++ b/server/src/main/java/org/apache/iotdb/db/auth/authorizer/BasicAuthorizer.java
@@ -24,7 +24,6 @@ import org.apache.iotdb.db.auth.entity.Role;
import org.apache.iotdb.db.auth.entity.User;
import org.apache.iotdb.db.auth.role.IRoleManager;
import org.apache.iotdb.db.auth.user.IUserManager;
-import org.apache.iotdb.db.conf.IoTDBConstant;
import org.apache.iotdb.db.conf.IoTDBDescriptor;
import org.apache.iotdb.db.exception.StartupException;
import org.apache.iotdb.db.service.IService;
@@ -134,7 +133,7 @@ public abstract class BasicAuthorizer implements IAuthorizer, IService {
throw new AuthException("Invalid operation, administrator already has all privileges");
}
if (!PrivilegeType.isPathRelevant(privilegeId)) {
- newPath = IoTDBConstant.PATH_ROOT;
+ newPath = AuthUtils.ROOT_PATH_PRIVILEGE;
}
if (!userManager.grantPrivilegeToUser(username, newPath, privilegeId)) {
throw new AuthException(
@@ -151,7 +150,7 @@ public abstract class BasicAuthorizer implements IAuthorizer, IService {
}
String p = path;
if (!PrivilegeType.isPathRelevant(privilegeId)) {
- p = IoTDBConstant.PATH_ROOT;
+ p = AuthUtils.ROOT_PATH_PRIVILEGE;
}
if (!userManager.revokePrivilegeFromUser(username, p, privilegeId)) {
throw new AuthException(
@@ -195,7 +194,7 @@ public abstract class BasicAuthorizer implements IAuthorizer, IService {
throws AuthException {
String p = path;
if (!PrivilegeType.isPathRelevant(privilegeId)) {
- p = IoTDBConstant.PATH_ROOT;
+ p = AuthUtils.ROOT_PATH_PRIVILEGE;
}
if (!roleManager.grantPrivilegeToRole(roleName, p, privilegeId)) {
throw new AuthException(
@@ -209,7 +208,7 @@ public abstract class BasicAuthorizer implements IAuthorizer, IService {
throws AuthException {
String p = path;
if (!PrivilegeType.isPathRelevant(privilegeId)) {
- p = IoTDBConstant.PATH_ROOT;
+ p = AuthUtils.ROOT_PATH_PRIVILEGE;
}
if (!roleManager.revokePrivilegeFromRole(roleName, p, privilegeId)) {
throw new AuthException(
diff --git a/server/src/main/java/org/apache/iotdb/db/auth/entity/Role.java b/server/src/main/java/org/apache/iotdb/db/auth/entity/Role.java
index 09ac9fae93..a4d5e83798 100644
--- a/server/src/main/java/org/apache/iotdb/db/auth/entity/Role.java
+++ b/server/src/main/java/org/apache/iotdb/db/auth/entity/Role.java
@@ -18,6 +18,7 @@
*/
package org.apache.iotdb.db.auth.entity;
+import org.apache.iotdb.db.auth.AuthException;
import org.apache.iotdb.db.utils.AuthUtils;
import org.apache.iotdb.db.utils.SerializeUtils;
@@ -82,11 +83,11 @@ public class Role {
}
}
- public Set<Integer> getPrivileges(String path) {
+ public Set<Integer> getPrivileges(String path) throws AuthException {
return AuthUtils.getPrivileges(path, privilegeList);
}
- public boolean checkPrivilege(String path, int privilegeId) {
+ public boolean checkPrivilege(String path, int privilegeId) throws AuthException {
return AuthUtils.checkPrivilege(path, privilegeId, privilegeList);
}
diff --git a/server/src/main/java/org/apache/iotdb/db/auth/entity/User.java b/server/src/main/java/org/apache/iotdb/db/auth/entity/User.java
index 200320ad6e..32c3b7fec6 100644
--- a/server/src/main/java/org/apache/iotdb/db/auth/entity/User.java
+++ b/server/src/main/java/org/apache/iotdb/db/auth/entity/User.java
@@ -18,6 +18,7 @@
*/
package org.apache.iotdb.db.auth.entity;
+import org.apache.iotdb.db.auth.AuthException;
import org.apache.iotdb.db.utils.AuthUtils;
import org.apache.iotdb.db.utils.SerializeUtils;
@@ -133,11 +134,11 @@ public class User {
return roleList.contains(roleName);
}
- public Set<Integer> getPrivileges(String path) {
+ public Set<Integer> getPrivileges(String path) throws AuthException {
return AuthUtils.getPrivileges(path, privilegeList);
}
- public boolean checkPrivilege(String path, int privilegeId) {
+ public boolean checkPrivilege(String path, int privilegeId) throws AuthException {
return AuthUtils.checkPrivilege(path, privilegeId, privilegeList);
}
diff --git a/server/src/main/java/org/apache/iotdb/db/utils/AuthUtils.java b/server/src/main/java/org/apache/iotdb/db/utils/AuthUtils.java
index 6724ad845a..06e76e0375 100644
--- a/server/src/main/java/org/apache/iotdb/db/utils/AuthUtils.java
+++ b/server/src/main/java/org/apache/iotdb/db/utils/AuthUtils.java
@@ -23,6 +23,8 @@ import org.apache.iotdb.db.auth.entity.PathPrivilege;
import org.apache.iotdb.db.auth.entity.PrivilegeType;
import org.apache.iotdb.db.conf.IoTDBConstant;
import org.apache.iotdb.db.conf.IoTDBDescriptor;
+import org.apache.iotdb.db.exception.metadata.IllegalPathException;
+import org.apache.iotdb.db.metadata.path.PartialPath;
import org.apache.iotdb.db.security.encrypt.AsymmetricEncryptFactory;
import org.slf4j.Logger;
@@ -42,6 +44,10 @@ public class AuthUtils {
private static final String ROOT_PREFIX = IoTDBConstant.PATH_ROOT;
private static final String ENCRYPT_ALGORITHM = "MD5";
private static final String STRING_ENCODING = "utf-8";
+ public static final String ROOT_PATH_PRIVILEGE =
+ IoTDBConstant.PATH_ROOT
+ + IoTDBConstant.PATH_SEPARATOR
+ + IoTDBConstant.MULTI_LEVEL_PATH_WILDCARD;
private AuthUtils() {}
@@ -129,7 +135,7 @@ public class AuthUtils {
public static void validatePrivilegeOnPath(String path, int privilegeId) throws AuthException {
validatePrivilege(privilegeId);
PrivilegeType type = PrivilegeType.values()[privilegeId];
- if (!path.equals(IoTDBConstant.PATH_ROOT)) {
+ if (!path.equals(ROOT_PATH_PRIVILEGE)) {
validatePath(path);
switch (type) {
case READ_TIMESERIES:
@@ -185,17 +191,21 @@ public class AuthUtils {
}
/**
- * check if pathA belongs to pathB.
+ * check if pathA belongs to pathB according to path pattern.
*
* @param pathA sub-path
* @param pathB path
- * @return True if pathA == pathB, or pathA is an extension of pathB, e.g. pathA = "root.a.b.c"
- * and pathB = "root.a"
+ * @return True if pathA is a sub pattern of pathB, e.g. pathA = "root.a.b.c" and pathB =
+ * "root.a.b.*", "root.a.**", "root.a.*.c", "root.**.c" or "root.*.b.**"
*/
- public static boolean pathBelongsTo(String pathA, String pathB) {
- return pathA.equals(pathB)
- || (pathA.startsWith(pathB)
- && pathA.charAt(pathB.length()) == IoTDBConstant.PATH_SEPARATOR);
+ public static boolean pathBelongsTo(String pathA, String pathB) throws AuthException {
+ try {
+ PartialPath partialPathA = new PartialPath(pathA);
+ PartialPath partialPathB = new PartialPath(pathB);
+ return partialPathB.matchFullPath(partialPathA);
+ } catch (IllegalPathException e) {
+ throw new AuthException(e);
+ }
}
/**
@@ -207,7 +217,7 @@ public class AuthUtils {
* @return True if privilege-check passed
*/
public static boolean checkPrivilege(
- String path, int privilegeId, List<PathPrivilege> privilegeList) {
+ String path, int privilegeId, List<PathPrivilege> privilegeList) throws AuthException {
if (privilegeList == null) {
return false;
}
@@ -235,7 +245,8 @@ public class AuthUtils {
* are desired, this should be null.
* @return The privileges granted to the role.
*/
- public static Set<Integer> getPrivileges(String path, List<PathPrivilege> privilegeList) {
+ public static Set<Integer> getPrivileges(String path, List<PathPrivilege> privilegeList)
+ throws AuthException {
if (privilegeList == null) {
return new HashSet<>();
}