You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@doris.apache.org by mo...@apache.org on 2023/06/02 09:53:52 UTC

[doris] branch master updated: [Enhancement](tvf) Backends tvf supports authentication (#20333)

This is an automated email from the ASF dual-hosted git repository.

morningman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git


The following commit(s) were added to refs/heads/master by this push:
     new 4395fb70c4 [Enhancement](tvf) Backends tvf supports authentication (#20333)
4395fb70c4 is described below

commit 4395fb70c456bf0bdd53351d4188d73142688975
Author: yongjinhou <10...@users.noreply.github.com>
AuthorDate: Fri Jun 2 17:53:44 2023 +0800

    [Enhancement](tvf) Backends tvf supports authentication (#20333)
    
    Add authentication for backends tvf.
---
 .../sql-manual/sql-functions/table-functions/backends.md |  2 ++
 .../sql-manual/sql-functions/table-functions/backends.md |  4 +++-
 .../java/org/apache/doris/analysis/ShowBackendsStmt.java |  6 ++++--
 .../apache/doris/analysis/TableValuedFunctionRef.java    | 16 ++++++++++++++++
 .../org/apache/doris/mysql/privilege/PrivPredicate.java  |  2 +-
 5 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/docs/en/docs/sql-manual/sql-functions/table-functions/backends.md b/docs/en/docs/sql-manual/sql-functions/table-functions/backends.md
index d6dae3bb3d..4fea18e317 100644
--- a/docs/en/docs/sql-manual/sql-functions/table-functions/backends.md
+++ b/docs/en/docs/sql-manual/sql-functions/table-functions/backends.md
@@ -81,6 +81,8 @@ mysql> desc function backends();
 
 The information displayed by the `backends` tvf is basically consistent with the information displayed by the `show backends` statement. However, the types of each field in the `backends` tvf are more specific, and you can use the `backends` tvf to perform operations such as filtering and joining.
 
+The information displayed by the `backends` tvf is authenticated, which is consistent with the behavior of `show backends`, user must have ADMIN/OPERATOR privelege.
+
 ### example
 ```
 mysql> select * from backends()\G
diff --git a/docs/zh-CN/docs/sql-manual/sql-functions/table-functions/backends.md b/docs/zh-CN/docs/sql-manual/sql-functions/table-functions/backends.md
index 95c4c5725f..14e792dc3d 100644
--- a/docs/zh-CN/docs/sql-manual/sql-functions/table-functions/backends.md
+++ b/docs/zh-CN/docs/sql-manual/sql-functions/table-functions/backends.md
@@ -78,7 +78,9 @@ mysql> desc function backends();
 25 rows in set (0.04 sec)
 ```
 
-`backends()` tvf展示出来的信息基本与 `show backends` 语句展示出的信息一致,但是`backends()` tvf的各个字段类型更加明确,且可以利用tvf生成的表去做过滤、join等操作。
+`backends()` tvf展示出来的信息基本与 `show backends` 语句展示出的信息一致,但是 `backends()` tvf的各个字段类型更加明确,且可以利用tvf生成的表去做过滤、join等操作。
+
+对 `backends()` tvf信息展示进行了鉴权,与 `show backends` 行为保持一致,要求用户具有 ADMIN/OPERATOR 权限。
 
 ### example
 ```
diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowBackendsStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowBackendsStmt.java
index 69e2708d3e..46009bd1c0 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowBackendsStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowBackendsStmt.java
@@ -20,9 +20,9 @@ package org.apache.doris.analysis;
 import org.apache.doris.catalog.Column;
 import org.apache.doris.catalog.Env;
 import org.apache.doris.catalog.ScalarType;
-import org.apache.doris.common.AnalysisException;
 import org.apache.doris.common.ErrorCode;
 import org.apache.doris.common.ErrorReport;
+import org.apache.doris.common.UserException;
 import org.apache.doris.common.proc.BackendsProcDir;
 import org.apache.doris.mysql.privilege.PrivPredicate;
 import org.apache.doris.qe.ConnectContext;
@@ -34,7 +34,9 @@ public class ShowBackendsStmt extends ShowStmt {
     }
 
     @Override
-    public void analyze(Analyzer analyzer) throws AnalysisException {
+    public void analyze(Analyzer analyzer) throws UserException {
+        super.analyze(analyzer);
+
         if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)
                 && !Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(),
                                                                           PrivPredicate.OPERATOR)) {
diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/TableValuedFunctionRef.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/TableValuedFunctionRef.java
index 294e18665d..ba1b07eb4c 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/TableValuedFunctionRef.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/TableValuedFunctionRef.java
@@ -17,10 +17,16 @@
 
 package org.apache.doris.analysis;
 
+import org.apache.doris.catalog.Env;
 import org.apache.doris.catalog.Table;
 import org.apache.doris.common.AnalysisException;
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.common.ErrorReport;
+import org.apache.doris.mysql.privilege.PrivPredicate;
 import org.apache.doris.planner.PlanNodeId;
 import org.apache.doris.planner.ScanNode;
+import org.apache.doris.qe.ConnectContext;
+import org.apache.doris.tablefunction.BackendsTableValuedFunction;
 import org.apache.doris.tablefunction.TableValuedFunctionIf;
 
 import java.util.Map;
@@ -96,6 +102,16 @@ public class TableValuedFunctionRef extends TableRef {
         if (isAnalyzed) {
             return;
         }
+
+        // check privilige for backends tvf
+        if (funcName.equalsIgnoreCase(BackendsTableValuedFunction.NAME)) {
+            if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)
+                    && !Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(),
+                                                                            PrivPredicate.OPERATOR)) {
+                ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, "ADMIN/OPERATOR");
+            }
+        }
+
         desc = analyzer.registerTableRef(this);
         isAnalyzed = true; // true that we have assigned desc
         analyzeJoin(analyzer);
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivPredicate.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivPredicate.java
index dc48fb2444..0d9370393f 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivPredicate.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivPredicate.java
@@ -29,7 +29,7 @@ public class PrivPredicate {
             Privilege.CREATE_PRIV,
             Privilege.DROP_PRIV),
             Operator.OR);
-    //show resources
+    // show resources
     public static final PrivPredicate SHOW_RESOURCES = PrivPredicate.of(PrivBitSet.of(Privilege.ADMIN_PRIV,
             Privilege.USAGE_PRIV),
             Operator.OR);


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org