From 93a2518d12efe15312825002ac144840be951317 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Mon, 9 Sep 2024 11:04:49 +0800 Subject: [PATCH] =?UTF-8?q?[fix](auth)Fix=20some=20issues=20with=20incorre?= =?UTF-8?q?ct=20permission=20verification=20(#3=E2=80=A6=20(#40410)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit …9726) pick: https://github.com/apache/doris/pull/39726 --- .../org/apache/doris/analysis/ShowColumnStmt.java | 11 +++++++++++ .../java/org/apache/doris/analysis/ShowDataStmt.java | 2 +- .../org/apache/doris/analysis/ShowSyncJobStmt.java | 9 +++++++++ .../doris/analysis/ShowTabletStorageFormatStmt.java | 6 ++---- .../java/org/apache/doris/qe/ConnectScheduler.java | 2 +- 5 files changed, 24 insertions(+), 6 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowColumnStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowColumnStmt.java index eb7fcaf0285e6a..9af269104cc993 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowColumnStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowColumnStmt.java @@ -18,9 +18,14 @@ package org.apache.doris.analysis; import org.apache.doris.catalog.Column; +import org.apache.doris.catalog.Env; import org.apache.doris.catalog.InfoSchemaDb; import org.apache.doris.catalog.ScalarType; import org.apache.doris.common.AnalysisException; +import org.apache.doris.common.ErrorCode; +import org.apache.doris.common.ErrorReport; +import org.apache.doris.mysql.privilege.PrivPredicate; +import org.apache.doris.qe.ConnectContext; import org.apache.doris.qe.ShowResultSetMetaData; import com.google.common.base.Strings; @@ -103,6 +108,12 @@ public void analyze(Analyzer analyzer) throws AnalysisException { } else { metaData = META_DATA; } + if (!Env.getCurrentEnv().getAccessManager() + .checkTblPriv(ConnectContext.get(), tableName.getCtl(), tableName.getDb(), + tableName.getTbl(), PrivPredicate.SHOW)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR, + PrivPredicate.SHOW.getPrivs().toString(), tableName); + } } @Override diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java index dd2053750bafa9..799fa68bcf70be 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowDataStmt.java @@ -115,7 +115,7 @@ public ShowDataStmt(TableName tableName, List orderByElements) { public void analyze(Analyzer analyzer) throws UserException { super.analyze(analyzer); dbName = analyzer.getDefaultDb(); - if (Strings.isNullOrEmpty(dbName)) { + if (Strings.isNullOrEmpty(dbName) && tableName == null) { getAllDbStats(); return; } diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSyncJobStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSyncJobStmt.java index 25980ea16a8c53..f0671f8afe0619 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSyncJobStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowSyncJobStmt.java @@ -18,10 +18,14 @@ package org.apache.doris.analysis; import org.apache.doris.catalog.Column; +import org.apache.doris.catalog.Env; import org.apache.doris.catalog.ScalarType; import org.apache.doris.common.ErrorCode; import org.apache.doris.common.ErrorReport; import org.apache.doris.common.UserException; +import org.apache.doris.datasource.InternalCatalog; +import org.apache.doris.mysql.privilege.PrivPredicate; +import org.apache.doris.qe.ConnectContext; import org.apache.doris.qe.ShowResultSetMetaData; import com.google.common.base.Strings; @@ -60,6 +64,11 @@ public void analyze(Analyzer analyzer) throws UserException { ErrorReport.reportAnalysisException(ErrorCode.ERR_NO_DB_ERROR); } } + if (!Env.getCurrentEnv().getAccessManager() + .checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, dbName, PrivPredicate.SHOW)) { + ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR, + PrivPredicate.SHOW.getPrivs().toString(), dbName); + } } @Override diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletStorageFormatStmt.java b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletStorageFormatStmt.java index 441f0f1d7d5288..9d0f3b88e6c3b2 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletStorageFormatStmt.java +++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowTabletStorageFormatStmt.java @@ -38,10 +38,8 @@ public ShowTabletStorageFormatStmt(boolean verbose) { public void analyze(Analyzer analyzer) throws UserException { // check access first if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { - ErrorReport.reportAnalysisException(ErrorCode.ERR_ACCESS_DENIED_ERROR, - toSql(), - ConnectContext.get().getQualifiedUser(), - ConnectContext.get().getRemoteIP(), "ADMIN Privilege needed."); + ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, + PrivPredicate.ADMIN.getPrivs().toString()); } super.analyze(analyzer); diff --git a/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectScheduler.java b/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectScheduler.java index 31a55649b506ed..db60ac84b63e1f 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectScheduler.java +++ b/fe/fe-core/src/main/java/org/apache/doris/qe/ConnectScheduler.java @@ -163,7 +163,7 @@ public List listConnection(String user, boolean isFul for (ConnectContext ctx : connectionMap.values()) { // Check auth if (!ctx.getQualifiedUser().equals(user) && !Env.getCurrentEnv().getAccessManager() - .checkGlobalPriv(ConnectContext.get(), PrivPredicate.GRANT)) { + .checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) { continue; }