[doris] branch master updated: [Enhancement](tvf) Backends tvf supports authentication (#20333)

morningman Fri, 02 Jun 2023 02:53:59 -0700

This is an automated email from the ASF dual-hosted git repository.

morningman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git



The following commit(s) were added to refs/heads/master by this push:
     new 4395fb70c4 [Enhancement](tvf) Backends tvf supports authentication 
(#20333)
4395fb70c4 is described below

commit 4395fb70c456bf0bdd53351d4188d73142688975
Author: yongjinhou <109586248+yongjin...@users.noreply.github.com>
AuthorDate: Fri Jun 2 17:53:44 2023 +0800

    [Enhancement](tvf) Backends tvf supports authentication (#20333)
    
    Add authentication for backends tvf.
---
 .../sql-manual/sql-functions/table-functions/backends.md |  2 ++
 .../sql-manual/sql-functions/table-functions/backends.md |  4 +++-
 .../java/org/apache/doris/analysis/ShowBackendsStmt.java |  6 ++++--
 .../apache/doris/analysis/TableValuedFunctionRef.java    | 16 ++++++++++++++++
 .../org/apache/doris/mysql/privilege/PrivPredicate.java  |  2 +-
 5 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/docs/en/docs/sql-manual/sql-functions/table-functions/backends.md 
b/docs/en/docs/sql-manual/sql-functions/table-functions/backends.md
index d6dae3bb3d..4fea18e317 100644
--- a/docs/en/docs/sql-manual/sql-functions/table-functions/backends.md
+++ b/docs/en/docs/sql-manual/sql-functions/table-functions/backends.md
@@ -81,6 +81,8 @@ mysql> desc function backends();
 
 The information displayed by the `backends` tvf is basically consistent with 
the information displayed by the `show backends` statement. However, the types 
of each field in the `backends` tvf are more specific, and you can use the 
`backends` tvf to perform operations such as filtering and joining.
 
+The information displayed by the `backends` tvf is authenticated, which is 
consistent with the behavior of `show backends`, user must have ADMIN/OPERATOR 
privelege.
+
 ### example
 ```
 mysql> select * from backends()\G
diff --git 
a/docs/zh-CN/docs/sql-manual/sql-functions/table-functions/backends.md 
b/docs/zh-CN/docs/sql-manual/sql-functions/table-functions/backends.md
index 95c4c5725f..14e792dc3d 100644
--- a/docs/zh-CN/docs/sql-manual/sql-functions/table-functions/backends.md
+++ b/docs/zh-CN/docs/sql-manual/sql-functions/table-functions/backends.md
@@ -78,7 +78,9 @@ mysql> desc function backends();
 25 rows in set (0.04 sec)
 ```
 
-`backends()` tvf展示出来的信息基本与 `show backends` 语句展示出的信息一致,但是`backends()` 
tvf的各个字段类型更加明确，且可以利用tvf生成的表去做过滤、join等操作。
+`backends()` tvf展示出来的信息基本与 `show backends` 语句展示出的信息一致,但是 `backends()` 
tvf的各个字段类型更加明确，且可以利用tvf生成的表去做过滤、join等操作。
+
+对 `backends()` tvf信息展示进行了鉴权，与 `show backends` 行为保持一致，要求用户具有 ADMIN/OPERATOR 权限。
 
 ### example
 ```
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowBackendsStmt.java 
b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowBackendsStmt.java
index 69e2708d3e..46009bd1c0 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowBackendsStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/ShowBackendsStmt.java
@@ -20,9 +20,9 @@ package org.apache.doris.analysis;
 import org.apache.doris.catalog.Column;
 import org.apache.doris.catalog.Env;
 import org.apache.doris.catalog.ScalarType;
-import org.apache.doris.common.AnalysisException;
 import org.apache.doris.common.ErrorCode;
 import org.apache.doris.common.ErrorReport;
+import org.apache.doris.common.UserException;
 import org.apache.doris.common.proc.BackendsProcDir;
 import org.apache.doris.mysql.privilege.PrivPredicate;
 import org.apache.doris.qe.ConnectContext;
@@ -34,7 +34,9 @@ public class ShowBackendsStmt extends ShowStmt {
     }
 
     @Override
-    public void analyze(Analyzer analyzer) throws AnalysisException {
+    public void analyze(Analyzer analyzer) throws UserException {
+        super.analyze(analyzer);
+
         if 
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), 
PrivPredicate.ADMIN)
                 && 
!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(),
                                                                           
PrivPredicate.OPERATOR)) {
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/analysis/TableValuedFunctionRef.java
 
b/fe/fe-core/src/main/java/org/apache/doris/analysis/TableValuedFunctionRef.java
index 294e18665d..ba1b07eb4c 100644
--- 
a/fe/fe-core/src/main/java/org/apache/doris/analysis/TableValuedFunctionRef.java
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/analysis/TableValuedFunctionRef.java
@@ -17,10 +17,16 @@
 
 package org.apache.doris.analysis;
 
+import org.apache.doris.catalog.Env;
 import org.apache.doris.catalog.Table;
 import org.apache.doris.common.AnalysisException;
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.common.ErrorReport;
+import org.apache.doris.mysql.privilege.PrivPredicate;
 import org.apache.doris.planner.PlanNodeId;
 import org.apache.doris.planner.ScanNode;
+import org.apache.doris.qe.ConnectContext;
+import org.apache.doris.tablefunction.BackendsTableValuedFunction;
 import org.apache.doris.tablefunction.TableValuedFunctionIf;
 
 import java.util.Map;
@@ -96,6 +102,16 @@ public class TableValuedFunctionRef extends TableRef {
         if (isAnalyzed) {
             return;
         }
+
+        // check privilige for backends tvf
+        if (funcName.equalsIgnoreCase(BackendsTableValuedFunction.NAME)) {
+            if 
(!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), 
PrivPredicate.ADMIN)
+                    && 
!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(),
+                                                                            
PrivPredicate.OPERATOR)) {
+                
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR, 
"ADMIN/OPERATOR");
+            }
+        }
+
         desc = analyzer.registerTableRef(this);
         isAnalyzed = true; // true that we have assigned desc
         analyzeJoin(analyzer);
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivPredicate.java 
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivPredicate.java
index dc48fb2444..0d9370393f 100644
--- 
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivPredicate.java
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/PrivPredicate.java
@@ -29,7 +29,7 @@ public class PrivPredicate {
             Privilege.CREATE_PRIV,
             Privilege.DROP_PRIV),
             Operator.OR);
-    //show resources
+    // show resources
     public static final PrivPredicate SHOW_RESOURCES = 
PrivPredicate.of(PrivBitSet.of(Privilege.ADMIN_PRIV,
             Privilege.USAGE_PRIV),
             Operator.OR);


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org

[doris] branch master updated: [Enhancement](tvf) Backends tvf supports authentication (#20333)

Reply via email to