[case](auth)Add case for auth (#45478)

### What problem does this PR solve?

add case 
- Restrictions on special users, roles, and resources
- Permission control for select count
- Permission control for tvf

regression-test/suites/account_p0/test_system_db.groovy

@@ -0,0 +1,46 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_system_db","p0,auth") {
+    String suiteName = "test_system_db"
+    String user = "${suiteName}_user"
+    String pwd = 'C123_567p'
+    try_sql("DROP USER ${user}")
+    sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+
+    sql """
+        grant select_priv on __internal_schema.* to `${user}`;
+    """
+    sql """
+        grant select_priv on information_schema.* to `${user}`;
+    """
+    sql """
+        grant select_priv on mysql.* to `${user}`;
+    """
+    sql """
+        revoke select_priv on __internal_schema.* from `${user}`;
+    """
+    sql """
+        revoke select_priv on information_schema.* from `${user}`;
+    """
+    sql """
+        revoke select_priv on mysql.* from `${user}`;
+    """
+    try_sql("DROP USER ${user}")
+}

regression-test/suites/account_p0/test_system_role.groovy

@@ -0,0 +1,61 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_system_role","p0,auth") {
+    test {
+          sql """
+              drop role operator;
+          """
+          exception "Can not drop role"
+    }
+
+    test {
+          sql """
+              drop role `admin`;
+          """
+          exception "Can not drop role"
+    }
+
+    test {
+          sql """
+              grant select_priv on *.*.* to role "operator";
+          """
+          exception "Can not grant"
+    }
+    test {
+          sql """
+              grant select_priv on *.*.* to role "admin";
+          """
+          exception "Can not grant"
+    }
+    test {
+          sql """
+              revoke Node_priv on *.*.* from role 'operator';
+          """
+          exception "Can not revoke"
+    }
+
+    test {
+          sql """
+              revoke Admin_priv on *.*.* from role 'admin';
+          """
+          exception "Can not revoke"
+    }
+
+}

regression-test/suites/account_p0/test_system_user.groovy

@@ -17,7 +17,7 @@
 
 import org.junit.Assert;
 
-suite("test_system_user") {
+suite("test_system_user","p0,auth") {
     test {
           sql """
               create user `root`;
@@ -36,4 +36,30 @@ suite("test_system_user") {
           """
           exception "system"
     }
+    test {
+          sql """
+              revoke "operator" from root;
+          """
+          exception "Can not revoke role"
+    }
+    test {
+          sql """
+              revoke 'admin' from `admin`;
+          """
+          exception "Unsupported operation"
+    }
+
+    sql """
+        grant select_priv on *.*.* to  `root`;
+    """
+    sql """
+        revoke select_priv on *.*.* from  `root`;
+    """
+    sql """
+        grant select_priv on *.*.* to  `admin`;
+    """
+    sql """
+        revoke select_priv on *.*.* from  `admin`;
+    """
+
 }

regression-test/suites/auth_p0/test_catalogs_auth.groovy

@@ -0,0 +1,68 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_catalogs_auth","p0,auth") {
+    String suiteName = "test_catalogs_auth"
+    String catalogName = "${suiteName}_catalog"
+    String user = "${suiteName}_user"
+    String pwd = 'C123_567p'
+    try_sql("DROP USER ${user}")
+    sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+
+   sql """drop catalog if exists ${catalogName}"""
+    sql """CREATE CATALOG ${catalogName} PROPERTIES (
+            "type"="es",
+            "hosts"="http://8.8.8.8:9200"
+        );"""
+
+    //cloud-mode
+    if (isCloudMode()) {
+        def clusters = sql " SHOW CLUSTERS; "
+        assertTrue(!clusters.isEmpty())
+        def validCluster = clusters[0][0]
+        sql """GRANT USAGE_PRIV ON CLUSTER ${validCluster} TO ${user}""";
+    }
+
+    sql """grant select_priv on regression_test to ${user}"""
+
+    connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+        def showRes = sql """show catalogs;"""
+        logger.info("showRes: " + showRes.toString())
+        assertFalse(showRes.toString().contains("${catalogName}"))
+
+        def tvfRes = sql """select * from catalogs();"""
+        logger.info("tvfRes: " + tvfRes.toString())
+        assertFalse(tvfRes.toString().contains("${catalogName}"))
+    }
+
+    sql """grant select_priv on ${catalogName}.*.* to ${user}"""
+
+    connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+        def showRes = sql """show catalogs;"""
+        logger.info("showRes: " + showRes.toString())
+        assertTrue(showRes.toString().contains("${catalogName}"))
+
+        def tvfRes = sql """select * from catalogs();"""
+        logger.info("tvfRes: " + tvfRes.toString())
+        assertTrue(tvfRes.toString().contains("${catalogName}"))
+    }
+
+    try_sql("DROP USER ${user}")
+    sql """drop catalog if exists ${catalogName}"""
+}

regression-test/suites/auth_p0/test_mtmv_auth.groovy

@@ -0,0 +1,100 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+import org.junit.Assert;
+
+suite("test_mtmv_auth","p0,auth") {
+    String suiteName = "test_mtmv_auth"
+    String dbName = context.config.getDbNameByFile(context.file)
+    String tableName = "${suiteName}_table"
+    String mvName = "${suiteName}_mv"
+    String user = "${suiteName}_user"
+    String pwd = 'C123_567p'
+    try_sql("DROP USER ${user}")
+    sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+
+   sql """DROP MATERIALIZED VIEW IF EXISTS ${mvName};"""
+   sql """drop table if exists `${tableName}`"""
+    sql """
+        CREATE TABLE `${tableName}` (
+          `user_id` LARGEINT NOT NULL COMMENT '\"用户id\"',
+          `date` DATE NOT NULL COMMENT '\"数据灌入日期时间\"',
+          `num` SMALLINT NOT NULL COMMENT '\"数量\"'
+        ) ENGINE=OLAP
+        DUPLICATE KEY(`user_id`, `date`, `num`)
+        COMMENT 'OLAP'
+        DISTRIBUTED BY HASH(`user_id`) BUCKETS 2
+        PROPERTIES ('replication_num' = '1') ;
+        """
+
+    sql """
+        CREATE MATERIALIZED VIEW ${mvName}
+            BUILD DEFERRED REFRESH AUTO ON MANUAL
+            DISTRIBUTED BY RANDOM BUCKETS 2
+            PROPERTIES ('replication_num' = '1')
+            AS
+            select * from ${tableName};
+        """
+
+    sql """refresh MATERIALIZED VIEW ${mvName} auto"""
+    waitingMTMVTaskFinishedByMvName(mvName)
+
+    //cloud-mode
+    if (isCloudMode()) {
+        def clusters = sql " SHOW CLUSTERS; "
+        assertTrue(!clusters.isEmpty())
+        def validCluster = clusters[0][0]
+        sql """GRANT USAGE_PRIV ON CLUSTER ${validCluster} TO ${user}""";
+    }
+
+    sql """grant select_priv on regression_test to ${user}"""
+
+    connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+        def mvsRes = sql """select * from mv_infos("database"="${dbName}");"""
+        logger.info("mvsRes: " + mvsRes.toString())
+        assertFalse(mvsRes.toString().contains("${mvName}"))
+
+        def jobsRes = sql """select * from jobs("type"="mv");"""
+        logger.info("jobsRes: " + jobsRes.toString())
+        assertFalse(jobsRes.toString().contains("${mvName}"))
+
+        def tasksRes = sql """select * from tasks("type"="mv");"""
+        logger.info("tasksRes: " + tasksRes.toString())
+        assertFalse(tasksRes.toString().contains("${mvName}"))
+
+    }
+
+    sql """grant select_priv on ${dbName}.${mvName} to ${user}"""
+
+    connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+       def mvsRes = sql """select * from mv_infos("database"="${dbName}");"""
+       logger.info("mvsRes: " + mvsRes.toString())
+       assertTrue(mvsRes.toString().contains("${mvName}"))
+
+       def jobsRes = sql """select * from jobs("type"="mv");"""
+       logger.info("jobsRes: " + jobsRes.toString())
+       assertTrue(jobsRes.toString().contains("${mvName}"))
+
+       def tasksRes = sql """select * from tasks("type"="mv");"""
+       logger.info("tasksRes: " + tasksRes.toString())
+       assertTrue(tasksRes.toString().contains("${mvName}"))
+    }
+
+    try_sql("DROP USER ${user}")
+    sql """DROP MATERIALIZED VIEW IF EXISTS ${mvName};"""
+    sql """drop table if exists `${tableName}`"""
+}

regression-test/suites/auth_p0/test_partition_values_tvf_auth.groovy

@@ -0,0 +1,69 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+suite("test_partition_values_tvf_auth","p0,auth") {
+    String suiteName = "test_partition_values_tvf_auth"
+     String enabled = context.config.otherConfigs.get("enableHiveTest")
+     if (enabled == null || !enabled.equalsIgnoreCase("true")) {
+        logger.info("disable Hive test.")
+        return;
+     }
+
+     for (String hivePrefix : ["hive3"]) {
+             String extHiveHmsHost = context.config.otherConfigs.get("externalEnvIp")
+             String extHiveHmsPort = context.config.otherConfigs.get(hivePrefix + "HmsPort")
+             String catalog_name = "${hivePrefix}_test_external_catalog_hive_partition"
+
+             sql """drop catalog if exists ${catalog_name};"""
+             sql """
+                 create catalog if not exists ${catalog_name} properties (
+                     'type'='hms',
+                     'hive.metastore.uris' = 'thrift://${extHiveHmsHost}:${extHiveHmsPort}'
+                 );
+             """
+            String user = "${suiteName}_user"
+            String pwd = 'C123_567p'
+            try_sql("DROP USER ${user}")
+            sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""
+            //cloud-mode
+            if (isCloudMode()) {
+                def clusters = sql " SHOW CLUSTERS; "
+                assertTrue(!clusters.isEmpty())
+                def validCluster = clusters[0][0]
+                sql """GRANT USAGE_PRIV ON CLUSTER ${validCluster} TO ${user}""";
+            }
+
+            sql """grant select_priv on regression_test to ${user}"""
+             connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+                 test {
+                       sql """
+                          select * from partition_values("catalog" = "${catalog_name}", "database" = "multi_catalog", "table" = "orc_partitioned_columns") order by t_int, t_float;
+                       """
+                       exception "denied"
+                 }
+             }
+            sql """grant select_priv on ${catalog_name}.multi_catalog.orc_partitioned_columns to ${user}"""
+            connect(user=user, password="${pwd}", url=context.config.jdbcUrl) {
+               sql """
+                  select * from partition_values("catalog" = "${catalog_name}", "database" = "multi_catalog", "table" = "orc_partitioned_columns") order by t_int, t_float;
+               """
+             }
+             try_sql("DROP USER ${user}")
+             sql """drop catalog if exists ${catalog_name}"""
+         }
+}
+