Skip to content

Commit

Permalink
[fix](auth)fix create table like need create_priv of existed table #3…
Browse files Browse the repository at this point in the history 
…7879 #25711 (#38569)
  • Loading branch information
@zddr
zddr authored Aug 2, 2024
1 parent 627ce77 commit 05ec11c
Show file tree
Hide file tree
Showing 5 changed files with 128 additions and 13 deletions.
24 changes: 18 additions & 6 deletions fe/fe-core/src/main/java/org/apache/doris/datasource/InternalCatalog.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,7 @@
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.TimeUnit;
Expand Down Expand Up @@ -1136,6 +1137,8 @@ public boolean createTable(CreateTableStmt stmt) throws UserException {
}

public void createTableLike(CreateTableLikeStmt stmt) throws DdlException {
ConnectContext ctx = ConnectContext.get();
Objects.requireNonNull(ctx, "ConnectContext.get() can not be null.");
try {
DatabaseIf db = getDbOrDdlException(stmt.getExistedDbName());
TableIf table = db.getTableOrDdlException(stmt.getExistedTableName());
Expand Down Expand Up @@ -1169,14 +1172,23 @@ public void createTableLike(CreateTableLikeStmt stmt) throws DdlException {
} finally {
table.readUnlock();
}
CreateTableStmt parsedCreateTableStmt = (CreateTableStmt) SqlParserUtils.parseAndAnalyzeStmt(
createTableStmt.get(0), ConnectContext.get());
parsedCreateTableStmt.setTableName(stmt.getTableName());
parsedCreateTableStmt.setIfNotExists(stmt.isIfNotExists());
createTable(parsedCreateTableStmt);
boolean originalSkipAuth = ctx.isSkipAuth();
try {
// analyze CreateTableStmt will check create_priv of existedTable, create table like only need
// create_priv of newTable, and select_priv of existedTable, and priv check has done in
// CreateTableStmt/CreateTableCommand, so we skip it
ctx.setSkipAuth(true);
CreateTableStmt parsedCreateTableStmt = (CreateTableStmt) SqlParserUtils.parseAndAnalyzeStmt(
createTableStmt.get(0), ctx);
parsedCreateTableStmt.setTableName(stmt.getTableName());
parsedCreateTableStmt.setIfNotExists(stmt.isIfNotExists());
createTable(parsedCreateTableStmt);
} finally {
ctx.setSkipAuth(originalSkipAuth);
}
} catch (UserException e) {
throw new DdlException("Failed to execute CREATE TABLE LIKE " + stmt.getExistedTableName() + ". Reason: "
+ e.getMessage());
+ e.getMessage(), e);
}
}

Expand Down
3 changes: 3 additions & 0 deletions fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -170,6 +170,9 @@ public boolean checkTblPriv(ConnectContext ctx, TableName tableName, PrivPredica

public boolean checkTblPriv(ConnectContext ctx, String qualifiedCtl,
String qualifiedDb, String tbl, PrivPredicate wanted) {
if (ctx.isSkipAuth()) {
return true;
}
return checkTblPriv(ctx.getCurrentUserIdentity(), qualifiedCtl, qualifiedDb, tbl, wanted);
}

Expand Down
14 changes: 14 additions & 0 deletions fe/fe-core/src/main/java/org/apache/doris/qe/ConnectContext.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,12 @@ public class ConnectContext {
// it's default thread-safe
private boolean isProxy = false;

//internal call like `insert overwrite` need skipAuth
// For example, `insert overwrite` only requires load permission,
// but the internal implementation will call the logic of `AlterTable`.
// In this case, `skipAuth` needs to be set to `true` to skip the permission check of `AlterTable`
private boolean skipAuth = false;

public void setUserQueryTimeout(int queryTimeout) {
if (queryTimeout > 0) {
sessionVariable.setQueryTimeoutS(queryTimeout);
Expand Down Expand Up @@ -938,5 +944,13 @@ public void setUserVars(Map<String, LiteralExpr> userVars) {
public boolean isProxy() {
return isProxy;
}

public boolean isSkipAuth() {
return skipAuth;
}

public void setSkipAuth(boolean skipAuth) {
this.skipAuth = skipAuth;
}
}

21 changes: 14 additions & 7 deletions fe/fe-core/src/main/java/org/apache/doris/qe/StmtExecutor.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1068,6 +1068,7 @@ public void analyze(TQueryOptions tQueryOptions) throws UserException, Interrupt
queryStmt.getTables(analyzer, false, tableMap, parentViewNameSet);
} else if (parsedStmt instanceof InsertOverwriteTableStmt) {
InsertOverwriteTableStmt parsedStmt = (InsertOverwriteTableStmt) this.parsedStmt;
parsedStmt.analyze(analyzer);
queryStmt = parsedStmt.getQueryStmt();
queryStmt.getTables(analyzer, false, tableMap, parentViewNameSet);
} else if (parsedStmt instanceof CreateTableAsSelectStmt) {
Expand Down Expand Up @@ -2506,13 +2507,19 @@ private void handleCtasRollback(TableName table) {
}

private void handleIotStmt() {
InsertOverwriteTableStmt iotStmt = (InsertOverwriteTableStmt) this.parsedStmt;
if (iotStmt.getPartitionNames().size() == 0) {
// insert overwrite table
handleOverwriteTable(iotStmt);
} else {
// insert overwrite table with partition
handleOverwritePartition(iotStmt);
boolean originalSkipAuth = context.isSkipAuth();
context.setSkipAuth(true);
try {
InsertOverwriteTableStmt iotStmt = (InsertOverwriteTableStmt) this.parsedStmt;
if (iotStmt.getPartitionNames().size() == 0) {
// insert overwrite table
handleOverwriteTable(iotStmt);
} else {
// insert overwrite table with partition
handleOverwritePartition(iotStmt);
}
} finally {
context.setSkipAuth(originalSkipAuth);
}
}

Expand Down
79 changes: 79 additions & 0 deletions regression-test/suites/nereids_p0/insert_into_table/insert_auth.groovy
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.

suite('nereids_insert_auth') {
sql 'set enable_nereids_planner=true'
sql 'set enable_fallback_to_original_planner=false'
sql 'set enable_nereids_dml=true'
sql 'set enable_strict_consistency_dml=true'

def db = 'nereids_insert_auth_db'
sql "drop database if exists ${db}"
sql "create database ${db}"
sql "use ${db}"

def t1 = 't1'

sql "drop table if exists ${t1}"

sql """
create table ${t1} (
id int,
c1 bigint
)
distributed by hash(id) buckets 2
properties(
'replication_num'='1'
);
"""

String user = "nereids_insert_auth_user";
String pwd = '123456';
def tokens = context.config.jdbcUrl.split('/')
def url = tokens[0] + "//" + tokens[2] + "/" + "information_schema" + "?"
try_sql("DROP USER ${user}")
sql """CREATE USER '${user}' IDENTIFIED BY '${pwd}'"""

connect(user=user, password="${pwd}", url=url) {
try {
sql """ insert into ${db}.${t1} values (1, 1) """
fail()
} catch (Exception e) {
log.info(e.getMessage())
}
}

sql """GRANT LOAD_PRIV ON ${db}.${t1} TO ${user}"""

connect(user=user, password="${pwd}", url=url) {
try {
sql """ insert into ${db}.${t1} values (1, 1) """
} catch (Exception e) {
log.info(e.getMessage())
fail()
}
}

connect(user=user, password="${pwd}", url=url) {
try {
sql """ insert overwrite table ${db}.${t1} values (2, 2) """
} catch (Exception e) {
log.info(e.getMessage())
fail()
}
}
}

0 comments on commit 05ec11c

Please sign in to comment.