You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@doris.apache.org by GitBox <gi...@apache.org> on 2022/10/18 05:59:25 UTC

[GitHub] [doris] adonis0147 opened a new pull request, #13434: [feature](nereids) Support authentication

adonis0147 opened a new pull request, #13434:
URL: https://github.com/apache/doris/pull/13434

   # Proposed changes
   
   Add a rule to check the permission of a user who are executing a query. Forbid users who don't have `SELECT_PRIV` on some tables from executing queries on these tables.
   
   ## Problem summary
   
   Currently, nereids planner doesn't authenticate the ones who execute queries.
   
   ## Checklist(Required)
   
   1. Does it affect the original behavior: 
       - [ ] Yes
       - [ ] No
       - [ ] I don't know
   2. Has unit tests been added:
       - [ ] Yes
       - [ ] No
       - [ ] No Need
   3. Has document been added or modified:
       - [ ] Yes
       - [ ] No
       - [ ] No Need
   4. Does it need to update dependencies:
       - [ ] Yes
       - [ ] No
   5. Are there any changes that cannot be rolled back:
       - [ ] Yes (If Yes, please explain WHY)
       - [ ] No
   
   ## Further comments
   
   If this is a relatively large or complex change, kick off the discussion at [dev@doris.apache.org](mailto:dev@doris.apache.org) by explaining why you chose the solution you did and what alternatives you considered, etc...
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org

[GitHub] [doris] wangshuo128 commented on a diff in pull request #13434: [feature](nereids) Support authentication

Posted by GitBox <gi...@apache.org>.

wangshuo128 commented on code in PR #13434:
URL: https://github.com/apache/doris/pull/13434#discussion_r997804395


##########
fe/fe-core/src/main/java/org/apache/doris/nereids/rules/RuleType.java:
##########
@@ -51,6 +51,8 @@ public enum RuleType {
     RESOLVE_AGGREGATE_ALIAS(RuleTypeClass.REWRITE),
     PROJECT_TO_GLOBAL_AGGREGATE(RuleTypeClass.REWRITE),
 
+    RELATION_AUTHENTICATION(RuleTypeClass.CHECK),

Review Comment:
   To clearify: `RuleTypeClass.CHECK` was introduced by the unit test to compare the expected and actual plan. Maybe it's not a suitable name now. 
   I suggest distinguishing the type name between unit test plan check and plan checking in the analysis phase. :)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org

[GitHub] [doris] morrySnow commented on a diff in pull request #13434: [feature](nereids) Support authentication

Posted by GitBox <gi...@apache.org>.

morrySnow commented on code in PR #13434:
URL: https://github.com/apache/doris/pull/13434#discussion_r1000285198


##########
fe/fe-core/src/main/java/org/apache/doris/nereids/rules/analysis/UserAuthentication.java:
##########
@@ -0,0 +1,54 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.nereids.rules.analysis;
+
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.mysql.privilege.PrivPredicate;
+import org.apache.doris.nereids.exceptions.AnalysisException;
+import org.apache.doris.nereids.rules.Rule;
+import org.apache.doris.nereids.rules.RuleType;
+import org.apache.doris.nereids.trees.plans.Plan;
+import org.apache.doris.nereids.trees.plans.logical.LogicalOlapScan;
+import org.apache.doris.qe.ConnectContext;
+
+/**
+ * Check whether a user is permitted to scan specific tables.
+ */
+public class UserAuthentication extends OneAnalysisRuleFactory {
+
+    @Override
+    public Rule build() {
+        return logicalOlapScan().thenApply(ctx -> checkPermission(ctx.root, ctx.connectContext))

Review Comment:
   we should use logicalRelation pattern, but i checked GeneratedPatterns and we have no logicalRelation pattern. So i think we need to update pattern generator to generate it. @924060929 could we do it in pattern generator?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org

[GitHub] [doris] github-actions[bot] commented on pull request #13434: [feature](nereids) Support authentication

Posted by GitBox <gi...@apache.org>.

github-actions[bot] commented on PR #13434:
URL: https://github.com/apache/doris/pull/13434#issuecomment-1301592339

   PR approved by at least one committer and no changes requested.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org

[GitHub] [doris] morrySnow merged pull request #13434: [feature](nereids) Support authentication

Posted by GitBox <gi...@apache.org>.

morrySnow merged PR #13434:
URL: https://github.com/apache/doris/pull/13434


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org

[GitHub] [doris] wangshuo128 commented on a diff in pull request #13434: [feature](nereids) Support authentication

Posted by GitBox <gi...@apache.org>.

wangshuo128 commented on code in PR #13434:
URL: https://github.com/apache/doris/pull/13434#discussion_r997804395


##########
fe/fe-core/src/main/java/org/apache/doris/nereids/rules/RuleType.java:
##########
@@ -51,6 +51,8 @@ public enum RuleType {
     RESOLVE_AGGREGATE_ALIAS(RuleTypeClass.REWRITE),
     PROJECT_TO_GLOBAL_AGGREGATE(RuleTypeClass.REWRITE),
 
+    RELATION_AUTHENTICATION(RuleTypeClass.CHECK),

Review Comment:
   To clearify: `RuleTypeClass.CHECK` was introduced by the unit test to compare the expected and actual plan. Maybe it's not a suitable name.
   I suggest distinguishing the type name between unit test plan check and plan checking in the analysis phase. :)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org

[GitHub] [doris] adonis0147 commented on a diff in pull request #13434: [feature](nereids) Support authentication

Posted by GitBox <gi...@apache.org>.

adonis0147 commented on code in PR #13434:
URL: https://github.com/apache/doris/pull/13434#discussion_r1006668163


##########
fe/fe-core/src/main/java/org/apache/doris/nereids/rules/RuleType.java:
##########
@@ -51,6 +51,8 @@ public enum RuleType {
     RESOLVE_AGGREGATE_ALIAS(RuleTypeClass.REWRITE),
     PROJECT_TO_GLOBAL_AGGREGATE(RuleTypeClass.REWRITE),
 
+    RELATION_AUTHENTICATION(RuleTypeClass.CHECK),

Review Comment:
   Thanks for your suggestion. I have refined it.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org

[GitHub] [doris] hello-stephen commented on pull request #13434: [feature](nereids) Support authentication

Posted by GitBox <gi...@apache.org>.

hello-stephen commented on PR #13434:
URL: https://github.com/apache/doris/pull/13434#issuecomment-1293510760

   TeamCity pipeline, clickbench performance test result:
    the sum of best hot time: 38.49 seconds
    load time: 575 seconds
    storage size: 17154821288 Bytes
    https://doris-community-test-1308700295.cos.ap-hongkong.myqcloud.com/tmp/20221027211501_clickbench_pr_34836.html


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org

[GitHub] [doris] github-actions[bot] commented on pull request #13434: [feature](nereids) Support authentication

Posted by GitBox <gi...@apache.org>.

github-actions[bot] commented on PR #13434:
URL: https://github.com/apache/doris/pull/13434#issuecomment-1301592361

   PR approved by anyone and no changes requested.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org

[GitHub] [doris] hello-stephen commented on pull request #13434: [feature](nereids) Support authentication

Posted by GitBox <gi...@apache.org>.

hello-stephen commented on PR #13434:
URL: https://github.com/apache/doris/pull/13434#issuecomment-1294821664

   TeamCity pipeline, clickbench performance test result:
    the sum of best hot time: 38.65 seconds
    load time: 578 seconds
    storage size: 17154821218 Bytes
    https://doris-community-test-1308700295.cos.ap-hongkong.myqcloud.com/tmp/20221028102254_clickbench_pr_35315.html


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org

[GitHub] [doris] adonis0147 commented on a diff in pull request #13434: [feature](nereids) Support authentication

Posted by GitBox <gi...@apache.org>.

adonis0147 commented on code in PR #13434:
URL: https://github.com/apache/doris/pull/13434#discussion_r1006671108


##########
fe/fe-core/src/main/java/org/apache/doris/nereids/rules/analysis/UserAuthentication.java:
##########
@@ -0,0 +1,54 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.nereids.rules.analysis;
+
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.mysql.privilege.PrivPredicate;
+import org.apache.doris.nereids.exceptions.AnalysisException;
+import org.apache.doris.nereids.rules.Rule;
+import org.apache.doris.nereids.rules.RuleType;
+import org.apache.doris.nereids.trees.plans.Plan;
+import org.apache.doris.nereids.trees.plans.logical.LogicalOlapScan;
+import org.apache.doris.qe.ConnectContext;
+
+/**
+ * Check whether a user is permitted to scan specific tables.
+ */
+public class UserAuthentication extends OneAnalysisRuleFactory {
+
+    @Override
+    public Rule build() {
+        return logicalOlapScan().thenApply(ctx -> checkPermission(ctx.root, ctx.connectContext))

Review Comment:
   `logicalRelation` is included in [fe/fe-core/src/main/java/org/apache/doris/nereids/pattern/Patterns.java#L172](https://github.com/apache/doris/blob/master/fe/fe-core/src/main/java/org/apache/doris/nereids/pattern/Patterns.java#L172).



##########
fe/fe-core/src/main/java/org/apache/doris/nereids/rules/analysis/UserAuthentication.java:
##########
@@ -0,0 +1,54 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.nereids.rules.analysis;
+
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.mysql.privilege.PrivPredicate;
+import org.apache.doris.nereids.exceptions.AnalysisException;
+import org.apache.doris.nereids.rules.Rule;
+import org.apache.doris.nereids.rules.RuleType;
+import org.apache.doris.nereids.trees.plans.Plan;
+import org.apache.doris.nereids.trees.plans.logical.LogicalOlapScan;
+import org.apache.doris.qe.ConnectContext;
+
+/**
+ * Check whether a user is permitted to scan specific tables.
+ */
+public class UserAuthentication extends OneAnalysisRuleFactory {
+
+    @Override
+    public Rule build() {
+        return logicalOlapScan().thenApply(ctx -> checkPermission(ctx.root, ctx.connectContext))

Review Comment:
   Done.
   
   `logicalRelation` is included in [fe/fe-core/src/main/java/org/apache/doris/nereids/pattern/Patterns.java#L172](https://github.com/apache/doris/blob/master/fe/fe-core/src/main/java/org/apache/doris/nereids/pattern/Patterns.java#L172).



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org