[doris] branch master updated: [fix](nereids) check table privilege when it's needed (#21130)

Sun, 25 Jun 2023 03:35:52 -0700 

This is an automated email from the ASF dual-hosted git repository.

morrysnow pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git


The following commit(s) were added to refs/heads/master by this push:
     new b6c9feb458 [fix](nereids) check table privilege when it's needed 
(#21130)
b6c9feb458 is described below

commit b6c9feb458269d3f69025b43fdee2bd3d6c1d08b
Author: starocean999 <40539150+starocean...@users.noreply.github.com>
AuthorDate: Sun Jun 25 18:35:39 2023 +0800

    [fix](nereids) check table privilege when it's needed (#21130)
    
    check privilege on LogicalOlapScan, LogicalEsScan, LogicalFileScan and 
LogicalSchemaScan
---
 .../nereids/rules/analysis/UserAuthentication.java | 31 ++++++++++++++++------
 1 file changed, 23 insertions(+), 8 deletions(-)

diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/analysis/UserAuthentication.java
 
b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/analysis/UserAuthentication.java
index 48356ea3a4..b88108cbc9 100644
--- 
a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/analysis/UserAuthentication.java
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/analysis/UserAuthentication.java
@@ -23,13 +23,23 @@ import 
org.apache.doris.nereids.exceptions.AnalysisException;
 import org.apache.doris.nereids.rules.Rule;
 import org.apache.doris.nereids.rules.RuleType;
 import org.apache.doris.nereids.trees.plans.Plan;
+import org.apache.doris.nereids.trees.plans.logical.LogicalEsScan;
+import org.apache.doris.nereids.trees.plans.logical.LogicalFileScan;
+import org.apache.doris.nereids.trees.plans.logical.LogicalOlapScan;
 import org.apache.doris.nereids.trees.plans.logical.LogicalRelation;
+import org.apache.doris.nereids.trees.plans.logical.LogicalSchemaScan;
 import org.apache.doris.qe.ConnectContext;
 
+import com.google.common.collect.Sets;
+
+import java.util.Set;
+
 /**
  * Check whether a user is permitted to scan specific tables.
  */
 public class UserAuthentication extends OneAnalysisRuleFactory {
+    Set<Class<?>> relationsToCheck = Sets.newHashSet(LogicalOlapScan.class, 
LogicalEsScan.class,
+            LogicalFileScan.class, LogicalSchemaScan.class);
 
     @Override
     public Rule build() {
@@ -43,15 +53,20 @@ public class UserAuthentication extends 
OneAnalysisRuleFactory {
         if (connectContext.getSessionVariable().isPlayNereidsDump()) {
             return relation;
         }
-        String dbName = !relation.getQualifier().isEmpty() ? 
relation.getQualifier().get(0) : null;
-        String tableName = relation.getTable().getName();
-        if (!connectContext.getEnv().getAccessManager()
-                .checkTblPriv(connectContext, dbName, tableName, 
PrivPredicate.SELECT)) {
-            String message = 
ErrorCode.ERR_TABLEACCESS_DENIED_ERROR.formatErrorMsg("SELECT",
-                    ConnectContext.get().getQualifiedUser(), 
ConnectContext.get().getRemoteIP(),
-                    dbName + ": " + tableName);
-            throw new AnalysisException(message);
+
+        if (relationsToCheck.contains(relation.getClass())) {
+            String dbName =
+                    !relation.getQualifier().isEmpty() ? 
relation.getQualifier().get(0) : null;
+            String tableName = relation.getTable().getName();
+            if 
(!connectContext.getEnv().getAccessManager().checkTblPriv(connectContext, 
dbName,
+                    tableName, PrivPredicate.SELECT)) {
+                String message = 
ErrorCode.ERR_TABLEACCESS_DENIED_ERROR.formatErrorMsg("SELECT",
+                        ConnectContext.get().getQualifiedUser(), 
ConnectContext.get().getRemoteIP(),
+                        dbName + ": " + tableName);
+                throw new AnalysisException(message);
+            }
         }
+
         return relation;
     }
 }


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org

Reply via email to