You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@iotdb.apache.org by 周钰坤 <zy...@gmail.com> on 2022/05/06 11:14:19 UTC

Refactor the rule of auth check

Hi

Currently, the rule of iotdb's auth check is prefix match, which is
inconsistent with pattern match in DDL and DML. Therefore, we want to
refactor the rule to pattern match.
For example, an old sql, 'GRANT USER ln_write_user PRIVILEGES
INSERT_TIMESERIES on root.ln', won't work any more. The replacement is
'GRANT USER ln_write_user PRIVILEGES INSERT_TIMESERIES on root.ln.**'
.

Besides, we introduce the concept, sub pattern, which means a
pattern's result set contains all the elements of its sub pattern's
result set. For example, 'root.sg.d.*' is a sub pattern of
'root.sg.*.*', while 'root.sg.**' is not a sub pattern of
'root.sg.*.*'.
When a user is granted privilege on a pattern, the pattern used in his
DDL or DML must be a sub pattern of the previlige pattern, which
guarantees that the user won't access the timeseries exceed his
privilege scope.

To guarantee the efficiency and performance of auth check, we will
implement the auth check after the generation of statement and before
the execution of statement.

Hope for some suggestions.


Best
----------------------------------------------------
Yukun Zhou
School of Software, Tsinghua University

周钰坤
清华大学 软件学院

Re: Refactor the rule of auth check

Posted by Jialin Qiao <qi...@apache.org>.

Hi,

root.sg.** should be a legal path.
If a user has read permission under root.sg.**, he could query all paths
like root.sg.x.x (a sub pattern of root.sg.**)

Thanks,
—————————————————
Jialin Qiao
Apache IoTDB PMC


Xiangdong Huang <sa...@gmail.com> 于2022年5月8日周日 19:48写道：

> Hi,
>
> Just want to make a confirmation: so we cannot grant privileges to
> 'root.sg.**'.
> It is illegal, right?
> -----------------------------------
> Xiangdong Huang
> School of Software, Tsinghua University
>
>  黄向东
> 清华大学 软件学院
>
>
> 周钰坤 <zy...@gmail.com> 于2022年5月6日周五 19:14写道：
>
> > Hi
> >
> > Currently, the rule of iotdb's auth check is prefix match, which is
> > inconsistent with pattern match in DDL and DML. Therefore, we want to
> > refactor the rule to pattern match.
> > For example, an old sql, 'GRANT USER ln_write_user PRIVILEGES
> > INSERT_TIMESERIES on root.ln', won't work any more. The replacement is
> > 'GRANT USER ln_write_user PRIVILEGES INSERT_TIMESERIES on root.ln.**'
> > .
> >
> > Besides, we introduce the concept, sub pattern, which means a
> > pattern's result set contains all the elements of its sub pattern's
> > result set. For example, 'root.sg.d.*' is a sub pattern of
> > 'root.sg.*.*', while 'root.sg.**' is not a sub pattern of
> > 'root.sg.*.*'.
> > When a user is granted privilege on a pattern, the pattern used in his
> > DDL or DML must be a sub pattern of the previlige pattern, which
> > guarantees that the user won't access the timeseries exceed his
> > privilege scope.
> >
> > To guarantee the efficiency and performance of auth check, we will
> > implement the auth check after the generation of statement and before
> > the execution of statement.
> >
> > Hope for some suggestions.
> >
> >
> > Best
> > ----------------------------------------------------
> > Yukun Zhou
> > School of Software, Tsinghua University
> >
> > 周钰坤
> > 清华大学 软件学院
> >
>

Re: Refactor the rule of auth check

Posted by Xiangdong Huang <sa...@gmail.com>.

Hi,

Just want to make a confirmation: so we cannot grant privileges to
'root.sg.**'.
It is illegal, right?
-----------------------------------
Xiangdong Huang
School of Software, Tsinghua University

 黄向东
清华大学 软件学院


周钰坤 <zy...@gmail.com> 于2022年5月6日周五 19:14写道：

> Hi
>
> Currently, the rule of iotdb's auth check is prefix match, which is
> inconsistent with pattern match in DDL and DML. Therefore, we want to
> refactor the rule to pattern match.
> For example, an old sql, 'GRANT USER ln_write_user PRIVILEGES
> INSERT_TIMESERIES on root.ln', won't work any more. The replacement is
> 'GRANT USER ln_write_user PRIVILEGES INSERT_TIMESERIES on root.ln.**'
> .
>
> Besides, we introduce the concept, sub pattern, which means a
> pattern's result set contains all the elements of its sub pattern's
> result set. For example, 'root.sg.d.*' is a sub pattern of
> 'root.sg.*.*', while 'root.sg.**' is not a sub pattern of
> 'root.sg.*.*'.
> When a user is granted privilege on a pattern, the pattern used in his
> DDL or DML must be a sub pattern of the previlige pattern, which
> guarantees that the user won't access the timeseries exceed his
> privilege scope.
>
> To guarantee the efficiency and performance of auth check, we will
> implement the auth check after the generation of statement and before
> the execution of statement.
>
> Hope for some suggestions.
>
>
> Best
> ----------------------------------------------------
> Yukun Zhou
> School of Software, Tsinghua University
>
> 周钰坤
> 清华大学 软件学院
>