You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@doris.apache.org by mo...@apache.org on 2023/06/25 10:35:46 UTC
[doris] branch master updated: [fix](nereids) check table privilege when it's needed (#21130)
This is an automated email from the ASF dual-hosted git repository.
morrysnow pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new b6c9feb458 [fix](nereids) check table privilege when it's needed (#21130)
b6c9feb458 is described below
commit b6c9feb458269d3f69025b43fdee2bd3d6c1d08b
Author: starocean999 <40...@users.noreply.github.com>
AuthorDate: Sun Jun 25 18:35:39 2023 +0800
[fix](nereids) check table privilege when it's needed (#21130)
check privilege on LogicalOlapScan, LogicalEsScan, LogicalFileScan and LogicalSchemaScan
---
.../nereids/rules/analysis/UserAuthentication.java | 31 ++++++++++++++++------
1 file changed, 23 insertions(+), 8 deletions(-)
diff --git a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/analysis/UserAuthentication.java b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/analysis/UserAuthentication.java
index 48356ea3a4..b88108cbc9 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/analysis/UserAuthentication.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/analysis/UserAuthentication.java
@@ -23,13 +23,23 @@ import org.apache.doris.nereids.exceptions.AnalysisException;
import org.apache.doris.nereids.rules.Rule;
import org.apache.doris.nereids.rules.RuleType;
import org.apache.doris.nereids.trees.plans.Plan;
+import org.apache.doris.nereids.trees.plans.logical.LogicalEsScan;
+import org.apache.doris.nereids.trees.plans.logical.LogicalFileScan;
+import org.apache.doris.nereids.trees.plans.logical.LogicalOlapScan;
import org.apache.doris.nereids.trees.plans.logical.LogicalRelation;
+import org.apache.doris.nereids.trees.plans.logical.LogicalSchemaScan;
import org.apache.doris.qe.ConnectContext;
+import com.google.common.collect.Sets;
+
+import java.util.Set;
+
/**
* Check whether a user is permitted to scan specific tables.
*/
public class UserAuthentication extends OneAnalysisRuleFactory {
+ Set<Class<?>> relationsToCheck = Sets.newHashSet(LogicalOlapScan.class, LogicalEsScan.class,
+ LogicalFileScan.class, LogicalSchemaScan.class);
@Override
public Rule build() {
@@ -43,15 +53,20 @@ public class UserAuthentication extends OneAnalysisRuleFactory {
if (connectContext.getSessionVariable().isPlayNereidsDump()) {
return relation;
}
- String dbName = !relation.getQualifier().isEmpty() ? relation.getQualifier().get(0) : null;
- String tableName = relation.getTable().getName();
- if (!connectContext.getEnv().getAccessManager()
- .checkTblPriv(connectContext, dbName, tableName, PrivPredicate.SELECT)) {
- String message = ErrorCode.ERR_TABLEACCESS_DENIED_ERROR.formatErrorMsg("SELECT",
- ConnectContext.get().getQualifiedUser(), ConnectContext.get().getRemoteIP(),
- dbName + ": " + tableName);
- throw new AnalysisException(message);
+
+ if (relationsToCheck.contains(relation.getClass())) {
+ String dbName =
+ !relation.getQualifier().isEmpty() ? relation.getQualifier().get(0) : null;
+ String tableName = relation.getTable().getName();
+ if (!connectContext.getEnv().getAccessManager().checkTblPriv(connectContext, dbName,
+ tableName, PrivPredicate.SELECT)) {
+ String message = ErrorCode.ERR_TABLEACCESS_DENIED_ERROR.formatErrorMsg("SELECT",
+ ConnectContext.get().getQualifiedUser(), ConnectContext.get().getRemoteIP(),
+ dbName + ": " + tableName);
+ throw new AnalysisException(message);
+ }
}
+
return relation;
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org