diff --git a/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java b/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java index 2cb8337db72ad2..7d8626c1ea0989 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java +++ b/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java @@ -525,7 +525,7 @@ public TAddColumnsResult addColumns(TAddColumnsRequest request) throws TExceptio // index id -> index schema Map> indexSchemaMap = new HashMap<>(); - //index id -> index col_unique_id supplier + // index id -> index col_unique_id supplier Map colUniqueIdSupplierMap = new HashMap<>(); for (Map.Entry> entry : olapTable.getIndexIdToSchema(true).entrySet()) { indexSchemaMap.put(entry.getKey(), new LinkedList<>(entry.getValue())); @@ -544,13 +544,13 @@ public int getAsInt() { } colUniqueIdSupplierMap.put(entry.getKey(), colUniqueIdSupplier); } - //4. call schame change function, only for dynamic table feature. + // 4. call schame change function, only for dynamic table feature. SchemaChangeHandler schemaChangeHandler = new SchemaChangeHandler(); boolean lightSchemaChange = schemaChangeHandler.processAddColumns( addColumnsClause, olapTable, indexSchemaMap, true, colUniqueIdSupplierMap); if (lightSchemaChange) { - //for schema change add column optimize, direct modify table meta. + // for schema change add column optimize, direct modify table meta. List newIndexes = olapTable.getCopiedIndexes(); long jobId = Env.getCurrentEnv().getNextId(); Env.getCurrentEnv().getSchemaChangeHandler().modifyTableLightSchemaChange( @@ -562,7 +562,7 @@ public int getAsInt() { } } - //5. build all columns + // 5. build all columns for (Column column : olapTable.getBaseSchema()) { allColumns.add(column.toThrift()); } @@ -756,7 +756,7 @@ public TListTableMetadataNameIdsResult listTableMetadataNameIds(TGetTablesParams if (params.isSetPattern()) { try { matcher = PatternMatcher.createMysqlPattern(params.getPattern(), - CaseSensibility.TABLE.getCaseSensibility()); + CaseSensibility.TABLE.getCaseSensibility()); } catch (PatternMatcherException e) { throw new TException("Pattern is in bad format " + params.getPattern()); } @@ -1095,13 +1095,18 @@ private List getTableNames(String cluster, String dbName, List tab return tableNames; } - private void checkPasswordAndPrivs(String cluster, String user, String passwd, String db, String tbl, - String clientIp, PrivPredicate predicate) throws AuthenticationException { + private void checkSingleTablePasswordAndPrivs(String cluster, String user, String passwd, String db, String tbl, + String clientIp, PrivPredicate predicate) throws AuthenticationException { checkPasswordAndPrivs(cluster, user, passwd, db, Lists.newArrayList(tbl), clientIp, predicate); } + private void checkDbPasswordAndPrivs(String cluster, String user, String passwd, String db, String clientIp, + PrivPredicate predicate) throws AuthenticationException { + checkPasswordAndPrivs(cluster, user, passwd, db, null, clientIp, predicate); + } + private void checkPasswordAndPrivs(String cluster, String user, String passwd, String db, List tables, - String clientIp, PrivPredicate predicate) throws AuthenticationException { + String clientIp, PrivPredicate predicate) throws AuthenticationException { final String fullUserName = ClusterNamespace.getFullName(cluster, user); final String fullDbName = ClusterNamespace.getFullName(cluster, db); @@ -1109,10 +1114,20 @@ private void checkPasswordAndPrivs(String cluster, String user, String passwd, S Env.getCurrentEnv().getAuth().checkPlainPassword(fullUserName, clientIp, passwd, currentUser); Preconditions.checkState(currentUser.size() == 1); + if (tables == null || tables.isEmpty()) { + if (!Env.getCurrentEnv().getAccessManager().checkDbPriv(currentUser.get(0), fullDbName, predicate)) { + throw new AuthenticationException( + "Access denied; you need (at least one of) the (" + predicate.toString() + + ") privilege(s) for this operation"); + } + return; + } + for (String tbl : tables) { if (!Env.getCurrentEnv().getAccessManager().checkTblPriv(currentUser.get(0), fullDbName, tbl, predicate)) { throw new AuthenticationException( - "Access denied; you need (at least one of) the LOAD privilege(s) for this operation"); + "Access denied; you need (at least one of) the (" + predicate.toString() + + ") privilege(s) for this operation"); } } } @@ -1184,7 +1199,8 @@ private TLoadTxnBeginResult loadTxnBeginImpl(TLoadTxnBeginRequest request, Strin if (request.isSetAuthCode()) { // TODO(cmy): find a way to check } else if (Strings.isNullOrEmpty(request.getToken())) { - checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), request.getTbl(), + checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), + request.getTbl(), request.getUserIp(), PrivPredicate.LOAD); } @@ -1363,7 +1379,7 @@ private List queryLoadCommitTables(TLoadTxnCommitRequest request, Databas } List tbNames; - //check has multi table + // check has multi table if (CollectionUtils.isNotEmpty(request.getTbls())) { tbNames = request.getTbls(); } else { @@ -1374,7 +1390,7 @@ private List
queryLoadCommitTables(TLoadTxnCommitRequest request, Databas OlapTable table = (OlapTable) db.getTableOrMetaException(tbl, TableType.OLAP); tables.add(table); } - //if it has multi table, use multi table and update multi table running transaction table ids + // if it has multi table, use multi table and update multi table running transaction table ids if (CollectionUtils.isNotEmpty(request.getTbls())) { List multiTableIds = tables.stream().map(Table::getId).collect(Collectors.toList()); Env.getCurrentGlobalTransactionMgr().getDatabaseTransactionMgr(db.getId()) @@ -1398,11 +1414,12 @@ private void loadTxnPreCommitImpl(TLoadTxnCommitRequest request) throws UserExce // refactoring it if (CollectionUtils.isNotEmpty(request.getTbls())) { for (String tbl : request.getTbls()) { - checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), tbl, + checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), + tbl, request.getUserIp(), PrivPredicate.LOAD); } } else { - checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), + checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), request.getTbl(), request.getUserIp(), PrivPredicate.LOAD); } @@ -1510,7 +1527,8 @@ private void loadTxn2PCImpl(TLoadTxn2PCRequest request) throws UserException { } for (Table table : tableList) { // check auth - checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), table.getName(), + checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), + table.getName(), request.getUserIp(), PrivPredicate.LOAD); } @@ -1578,7 +1596,7 @@ private boolean loadTxnCommitImpl(TLoadTxnCommitRequest request) throws UserExce checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), request.getTbls(), request.getUserIp(), PrivPredicate.LOAD); } else { - checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), + checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), request.getTbl(), request.getUserIp(), PrivPredicate.LOAD); } } @@ -1763,14 +1781,15 @@ private void loadTxnRollbackImpl(TLoadTxnRollbackRequest request) throws UserExc } else if (request.isSetToken()) { checkToken(request.getToken()); } else { - //multi table load + // multi table load if (CollectionUtils.isNotEmpty(request.getTbls())) { for (String tbl : request.getTbls()) { - checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), tbl, + checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), + tbl, request.getUserIp(), PrivPredicate.LOAD); } } else { - checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), + checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), request.getTbl(), request.getUserIp(), PrivPredicate.LOAD); } @@ -2054,7 +2073,8 @@ private void httpStreamPutImpl(TStreamLoadPutRequest request, TStreamLoadPutResu if (request.isSetAuthCode()) { // TODO(cmy): find a way to check } else if (Strings.isNullOrEmpty(request.getToken())) { - checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), request.getTbl(), + checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), + request.getTbl(), request.getUserIp(), PrivPredicate.LOAD); } ctx.setEnv(Env.getCurrentEnv()); @@ -2131,15 +2151,15 @@ private TExecPlanFragmentParams streamLoadPutImpl(TStreamLoadPutRequest request, } private TExecPlanFragmentParams generatePlanFragmentParams(TStreamLoadPutRequest request, Database db, - String fullDbName, OlapTable table, - long timeoutMs) throws UserException { + String fullDbName, OlapTable table, + long timeoutMs) throws UserException { return generatePlanFragmentParams(request, db, fullDbName, table, timeoutMs, 1, false); } private TExecPlanFragmentParams generatePlanFragmentParams(TStreamLoadPutRequest request, Database db, - String fullDbName, OlapTable table, - long timeoutMs, int multiTableFragmentInstanceIdIndex, - boolean isMultiTableRequest) + String fullDbName, OlapTable table, + long timeoutMs, int multiTableFragmentInstanceIdIndex, + boolean isMultiTableRequest) throws UserException { if (!table.tryReadLock(timeoutMs, TimeUnit.MILLISECONDS)) { throw new UserException( @@ -2191,10 +2211,10 @@ private TPipelineFragmentParams pipelineStreamLoadPutImpl(TStreamLoadPutRequest } private TPipelineFragmentParams generatePipelineStreamLoadPut(TStreamLoadPutRequest request, Database db, - String fullDbName, OlapTable table, - long timeoutMs, - int multiTableFragmentInstanceIdIndex, - boolean isMultiTableRequest) + String fullDbName, OlapTable table, + long timeoutMs, + int multiTableFragmentInstanceIdIndex, + boolean isMultiTableRequest) throws UserException { if (db == null) { String dbName = fullDbName; @@ -2746,7 +2766,8 @@ private TGetBinlogResult getBinlogImpl(TGetBinlogRequest request, String clientI cluster = SystemInfoService.DEFAULT_CLUSTER; } if (Strings.isNullOrEmpty(request.getToken())) { - checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), request.getTable(), + checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), + request.getTable(), request.getUserIp(), PrivPredicate.SELECT); } @@ -2867,8 +2888,8 @@ private TGetSnapshotResult getSnapshotImpl(TGetSnapshotRequest request, String c request.getUser(), request.getDb(), request.getLabelName(), request.getSnapshotName(), request.getSnapshotType()); if (Strings.isNullOrEmpty(request.getToken())) { - checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), - request.getTable(), clientIp, PrivPredicate.LOAD); + checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), + request.getTable(), clientIp, PrivPredicate.SELECT); } // Step 3: get snapshot @@ -2952,8 +2973,8 @@ private TRestoreSnapshotResult restoreSnapshotImpl(TRestoreSnapshotRequest reque } if (Strings.isNullOrEmpty(request.getToken())) { - checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), - request.getTable(), clientIp, PrivPredicate.LOAD); + checkDbPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), clientIp, + PrivPredicate.LOAD); } // Step 3: get snapshot @@ -3085,7 +3106,8 @@ private TGetBinlogLagResult getBinlogLagImpl(TGetBinlogRequest request, String c cluster = SystemInfoService.DEFAULT_CLUSTER; } if (Strings.isNullOrEmpty(request.getToken())) { - checkPasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), request.getTable(), + checkSingleTablePasswordAndPrivs(cluster, request.getUser(), request.getPasswd(), request.getDb(), + request.getTable(), request.getUserIp(), PrivPredicate.SELECT); }