You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@doris.apache.org by lu...@apache.org on 2023/06/30 04:56:31 UTC
[doris] branch master updated: [Enhancement](tvf) Add authentication for workload group tvf (#21323)
This is an automated email from the ASF dual-hosted git repository.
luozenglin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new df23ab3f29 [Enhancement](tvf) Add authentication for workload group tvf (#21323)
df23ab3f29 is described below
commit df23ab3f29d3ede2487115a79cf9aa85047f06c0
Author: yongjinhou <10...@users.noreply.github.com>
AuthorDate: Fri Jun 30 12:56:23 2023 +0800
[Enhancement](tvf) Add authentication for workload group tvf (#21323)
---
be/src/vec/exec/scan/vmeta_scan_node.cpp | 9 +++++++--
be/src/vec/exec/scan/vmeta_scan_node.h | 2 ++
be/src/vec/exec/scan/vmeta_scanner.cpp | 5 +++--
be/src/vec/exec/scan/vmeta_scanner.h | 5 ++++-
.../sql-functions/table-functions/workload-group.md | 2 +-
.../sql-functions/table-functions/workload-group.md | 2 +-
.../doris/planner/external/MetadataScanNode.java | 4 ++++
.../resource/workloadgroup/WorkloadGroupMgr.java | 21 +++++++++++++--------
.../doris/tablefunction/MetadataGenerator.java | 8 +++++++-
gensrc/thrift/FrontendService.thrift | 1 +
gensrc/thrift/PlanNodes.thrift | 1 +
11 files changed, 44 insertions(+), 16 deletions(-)
diff --git a/be/src/vec/exec/scan/vmeta_scan_node.cpp b/be/src/vec/exec/scan/vmeta_scan_node.cpp
index b94049697d..3bdcbfbaae 100644
--- a/be/src/vec/exec/scan/vmeta_scan_node.cpp
+++ b/be/src/vec/exec/scan/vmeta_scan_node.cpp
@@ -37,6 +37,9 @@ VMetaScanNode::VMetaScanNode(ObjectPool* pool, const TPlanNode& tnode, const Des
_tuple_id(tnode.meta_scan_node.tuple_id),
_scan_params(tnode.meta_scan_node) {
_output_tuple_id = _tuple_id;
+ if (_scan_params.__isset.current_user_ident) {
+ _user_identity = _scan_params.current_user_ident;
+ }
}
Status VMetaScanNode::init(const TPlanNode& tnode, RuntimeState* state) {
@@ -62,9 +65,11 @@ Status VMetaScanNode::_init_scanners(std::list<VScannerSPtr>* scanners) {
if (_eos == true) {
return Status::OK();
}
+
for (auto& scan_range : _scan_ranges) {
- std::shared_ptr<VMetaScanner> scanner = VMetaScanner::create_shared(
- _state, this, _tuple_id, scan_range, _limit_per_scanner, runtime_profile());
+ std::shared_ptr<VMetaScanner> scanner =
+ VMetaScanner::create_shared(_state, this, _tuple_id, scan_range, _limit_per_scanner,
+ runtime_profile(), _user_identity);
RETURN_IF_ERROR(scanner->prepare(_state, _conjuncts));
scanners->push_back(scanner);
}
diff --git a/be/src/vec/exec/scan/vmeta_scan_node.h b/be/src/vec/exec/scan/vmeta_scan_node.h
index b432d74760..caad8b1b7f 100644
--- a/be/src/vec/exec/scan/vmeta_scan_node.h
+++ b/be/src/vec/exec/scan/vmeta_scan_node.h
@@ -19,6 +19,7 @@
#include <gen_cpp/PaloInternalService_types.h>
#include <gen_cpp/PlanNodes_types.h>
+#include <gen_cpp/Types_types.h>
#include <list>
#include <vector>
@@ -55,6 +56,7 @@ private:
Status _process_conjuncts() override;
TupleId _tuple_id;
+ TUserIdentity _user_identity;
TMetaScanNode _scan_params;
std::vector<TScanRangeParams> _scan_ranges;
};
diff --git a/be/src/vec/exec/scan/vmeta_scanner.cpp b/be/src/vec/exec/scan/vmeta_scanner.cpp
index 030f710eba..eb1bc857a2 100644
--- a/be/src/vec/exec/scan/vmeta_scanner.cpp
+++ b/be/src/vec/exec/scan/vmeta_scanner.cpp
@@ -23,7 +23,6 @@
#include <gen_cpp/HeartbeatService_types.h>
#include <gen_cpp/PaloInternalService_types.h>
#include <gen_cpp/PlanNodes_types.h>
-#include <gen_cpp/Types_types.h>
#include <ostream>
#include <string>
@@ -58,10 +57,11 @@ namespace doris::vectorized {
VMetaScanner::VMetaScanner(RuntimeState* state, VMetaScanNode* parent, int64_t tuple_id,
const TScanRangeParams& scan_range, int64_t limit,
- RuntimeProfile* profile)
+ RuntimeProfile* profile, TUserIdentity user_identity)
: VScanner(state, static_cast<VScanNode*>(parent), limit, profile),
_meta_eos(false),
_tuple_id(tuple_id),
+ _user_identity(user_identity),
_scan_range(scan_range.scan_range) {}
Status VMetaScanner::open(RuntimeState* state) {
@@ -317,6 +317,7 @@ Status VMetaScanner::_build_workload_groups_metadata_request(
// create TMetadataTableRequestParams
TMetadataTableRequestParams metadata_table_params;
metadata_table_params.__set_metadata_type(TMetadataType::WORKLOAD_GROUPS);
+ metadata_table_params.__set_current_user_ident(_user_identity);
request->__set_metada_table_params(metadata_table_params);
return Status::OK();
diff --git a/be/src/vec/exec/scan/vmeta_scanner.h b/be/src/vec/exec/scan/vmeta_scanner.h
index ae3505d19f..22f3dfe681 100644
--- a/be/src/vec/exec/scan/vmeta_scanner.h
+++ b/be/src/vec/exec/scan/vmeta_scanner.h
@@ -18,6 +18,7 @@
#pragma once
#include <gen_cpp/Data_types.h>
+#include <gen_cpp/Types_types.h>
#include <stdint.h>
#include <vector>
@@ -51,7 +52,8 @@ class VMetaScanner : public VScanner {
public:
VMetaScanner(RuntimeState* state, VMetaScanNode* parent, int64_t tuple_id,
- const TScanRangeParams& scan_range, int64_t limit, RuntimeProfile* profile);
+ const TScanRangeParams& scan_range, int64_t limit, RuntimeProfile* profile,
+ TUserIdentity user_identity);
Status open(RuntimeState* state) override;
Status close(RuntimeState* state) override;
@@ -74,6 +76,7 @@ private:
bool _meta_eos;
TupleId _tuple_id;
+ TUserIdentity _user_identity;
const TupleDescriptor* _tuple_desc;
std::vector<TRow> _batch_data;
const TScanRange& _scan_range;
diff --git a/docs/en/docs/sql-manual/sql-functions/table-functions/workload-group.md b/docs/en/docs/sql-manual/sql-functions/table-functions/workload-group.md
index 0e222e7a0a..2371c7c2b2 100644
--- a/docs/en/docs/sql-manual/sql-functions/table-functions/workload-group.md
+++ b/docs/en/docs/sql-manual/sql-functions/table-functions/workload-group.md
@@ -36,7 +36,7 @@ workload_groups
### description
-Table-Value-Function, generate a temporary table named `workload_groups`. This tvf is used to view informations about current workload groups.
+Table-Value-Function, generate a temporary table named `workload_groups`. This tvf is used to view information about workload groups for which current user has permission.
This function is used in `FROM` clauses.
diff --git a/docs/zh-CN/docs/sql-manual/sql-functions/table-functions/workload-group.md b/docs/zh-CN/docs/sql-manual/sql-functions/table-functions/workload-group.md
index 9a4802559b..a3ededbfd4 100644
--- a/docs/zh-CN/docs/sql-manual/sql-functions/table-functions/workload-group.md
+++ b/docs/zh-CN/docs/sql-manual/sql-functions/table-functions/workload-group.md
@@ -36,7 +36,7 @@ workload_groups
### description
-表函数,生成 workload_groups 临时表,可以查看当前资源组信息。
+表函数,生成 workload_groups 临时表,可以查看当前用户具有权限的资源组信息。
该函数用于from子句中。
diff --git a/fe/fe-core/src/main/java/org/apache/doris/planner/external/MetadataScanNode.java b/fe/fe-core/src/main/java/org/apache/doris/planner/external/MetadataScanNode.java
index d16126fd8f..9952d9d783 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/planner/external/MetadataScanNode.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/planner/external/MetadataScanNode.java
@@ -21,6 +21,7 @@ import org.apache.doris.analysis.Analyzer;
import org.apache.doris.analysis.TupleDescriptor;
import org.apache.doris.common.UserException;
import org.apache.doris.planner.PlanNodeId;
+import org.apache.doris.qe.ConnectContext;
import org.apache.doris.statistics.StatisticalType;
import org.apache.doris.system.Backend;
import org.apache.doris.tablefunction.MetadataTableValuedFunction;
@@ -31,6 +32,7 @@ import org.apache.doris.thrift.TPlanNodeType;
import org.apache.doris.thrift.TScanRange;
import org.apache.doris.thrift.TScanRangeLocation;
import org.apache.doris.thrift.TScanRangeLocations;
+import org.apache.doris.thrift.TUserIdentity;
import com.google.common.collect.Lists;
@@ -53,6 +55,8 @@ public class MetadataScanNode extends ExternalScanNode {
TMetaScanNode metaScanNode = new TMetaScanNode();
metaScanNode.setTupleId(desc.getId().asInt());
metaScanNode.setMetadataType(this.tvf.getMetadataType());
+ TUserIdentity tCurrentUser = ConnectContext.get().getCurrentUserIdentity().toThrift();
+ metaScanNode.setCurrentUserIdent(tCurrentUser);
planNode.setMetaScanNode(metaScanNode);
}
diff --git a/fe/fe-core/src/main/java/org/apache/doris/resource/workloadgroup/WorkloadGroupMgr.java b/fe/fe-core/src/main/java/org/apache/doris/resource/workloadgroup/WorkloadGroupMgr.java
index cd019dc63b..c3b50d5025 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/resource/workloadgroup/WorkloadGroupMgr.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/resource/workloadgroup/WorkloadGroupMgr.java
@@ -20,6 +20,7 @@ package org.apache.doris.resource.workloadgroup;
import org.apache.doris.analysis.AlterWorkloadGroupStmt;
import org.apache.doris.analysis.CreateWorkloadGroupStmt;
import org.apache.doris.analysis.DropWorkloadGroupStmt;
+import org.apache.doris.analysis.UserIdentity;
import org.apache.doris.catalog.Env;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.Config;
@@ -31,7 +32,6 @@ import org.apache.doris.common.UserException;
import org.apache.doris.common.io.Text;
import org.apache.doris.common.io.Writable;
import org.apache.doris.common.proc.BaseProcResult;
-import org.apache.doris.common.proc.ProcNodeInterface;
import org.apache.doris.common.proc.ProcResult;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.persist.DropWorkloadGroupOperationLog;
@@ -39,6 +39,7 @@ import org.apache.doris.persist.gson.GsonPostProcessable;
import org.apache.doris.persist.gson.GsonUtils;
import org.apache.doris.qe.ConnectContext;
import org.apache.doris.thrift.TPipelineWorkloadGroup;
+import org.apache.doris.thrift.TUserIdentity;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableList;
@@ -310,7 +311,13 @@ public class WorkloadGroupMgr implements Writable, GsonPostProcessable {
}
public List<List<String>> getResourcesInfo() {
- return procNode.fetchResult().getRows();
+ UserIdentity currentUserIdentity = ConnectContext.get().getCurrentUserIdentity();
+ return procNode.fetchResult(currentUserIdentity).getRows();
+ }
+
+ public List<List<String>> getResourcesInfo(TUserIdentity tcurrentUserIdentity) {
+ UserIdentity currentUserIdentity = UserIdentity.fromThrift(tcurrentUserIdentity);
+ return procNode.fetchResult(currentUserIdentity).getRows();
}
// for ut
@@ -340,17 +347,15 @@ public class WorkloadGroupMgr implements Writable, GsonPostProcessable {
(id, workloadGroup) -> nameToWorkloadGroup.put(workloadGroup.getName(), workloadGroup));
}
- public class ResourceProcNode implements ProcNodeInterface {
- @Override
- public ProcResult fetchResult() {
+ public class ResourceProcNode {
+ public ProcResult fetchResult(UserIdentity currentUserIdentity) {
BaseProcResult result = new BaseProcResult();
result.setNames(WORKLOAD_GROUP_PROC_NODE_TITLE_NAMES);
readLock();
try {
for (WorkloadGroup workloadGroup : idToWorkloadGroup.values()) {
- if (!Objects.isNull(ConnectContext.get()) && !Env.getCurrentEnv().getAccessManager()
- .checkWorkloadGroupPriv(ConnectContext.get(), workloadGroup.getName(),
- PrivPredicate.SHOW_WORKLOAD_GROUP)) {
+ if (!Env.getCurrentEnv().getAccessManager().checkWorkloadGroupPriv(currentUserIdentity,
+ workloadGroup.getName(), PrivPredicate.SHOW_WORKLOAD_GROUP)) {
continue;
}
workloadGroup.getProcNodeData(result);
diff --git a/fe/fe-core/src/main/java/org/apache/doris/tablefunction/MetadataGenerator.java b/fe/fe-core/src/main/java/org/apache/doris/tablefunction/MetadataGenerator.java
index d2a0a2a5ee..ff2d9ce55c 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/tablefunction/MetadataGenerator.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/tablefunction/MetadataGenerator.java
@@ -37,6 +37,7 @@ import org.apache.doris.thrift.TMetadataType;
import org.apache.doris.thrift.TRow;
import org.apache.doris.thrift.TStatus;
import org.apache.doris.thrift.TStatusCode;
+import org.apache.doris.thrift.TUserIdentity;
import com.google.common.base.Stopwatch;
import com.google.common.base.Strings;
@@ -257,8 +258,13 @@ public class MetadataGenerator {
}
private static TFetchSchemaTableDataResult workloadGroupsMetadataResult(TMetadataTableRequestParams params) {
+ if (!params.isSetCurrentUserIdent()) {
+ return errorResult("current user ident is not set.");
+ }
+
+ TUserIdentity tcurrentUserIdentity = params.getCurrentUserIdent();
List<List<String>> workloadGroupsInfo = Env.getCurrentEnv().getWorkloadGroupMgr()
- .getResourcesInfo();
+ .getResourcesInfo(tcurrentUserIdentity);
TFetchSchemaTableDataResult result = new TFetchSchemaTableDataResult();
List<TRow> dataBatch = Lists.newArrayList();
for (List<String> rGroupsInfo : workloadGroupsInfo) {
diff --git a/gensrc/thrift/FrontendService.thrift b/gensrc/thrift/FrontendService.thrift
index fca5481f3b..ca84522401 100644
--- a/gensrc/thrift/FrontendService.thrift
+++ b/gensrc/thrift/FrontendService.thrift
@@ -806,6 +806,7 @@ struct TMetadataTableRequestParams {
3: optional PlanNodes.TBackendsMetadataParams backends_metadata_params
4: optional list<string> columns_name
5: optional PlanNodes.TFrontendsMetadataParams frontends_metadata_params
+ 6: optional Types.TUserIdentity current_user_ident
}
struct TFetchSchemaTableDataRequest {
diff --git a/gensrc/thrift/PlanNodes.thrift b/gensrc/thrift/PlanNodes.thrift
index ac8de521dc..978efee422 100644
--- a/gensrc/thrift/PlanNodes.thrift
+++ b/gensrc/thrift/PlanNodes.thrift
@@ -584,6 +584,7 @@ struct TSchemaScanNode {
struct TMetaScanNode {
1: required Types.TTupleId tuple_id
2: optional Types.TMetadataType metadata_type
+ 3: optional Types.TUserIdentity current_user_ident
}
struct TTestExternalScanNode {
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org