morningman commented on a change in pull request #6192:
URL: https://github.com/apache/incubator-doris/pull/6192#discussion_r671286226
##########
File path: fe/fe-core/src/main/java/org/apache/doris/qe/StmtExecutor.java
##########
@@ -283,6 +283,9 @@ public void execute(TUniqueId queryId) throws Exception {
}
if (parsedStmt instanceof QueryStmt) {
+ QueryStmt queryStmt = (QueryStmt) this.parsedStmt;
+ // match sql
+ matchSql(queryStmt);
Review comment:
I think all kind of stmt can be blocked? Not only select stmt?
And it can be block in `handleQuery()` of `ConnectProcessor`, so that we
even don't need to parse it.
##########
File path: docs/zh-CN/administrator-guide/block-rule/sql-block.md
##########
@@ -0,0 +1,45 @@
+---
+{
+"title": "SQL黑名单",
+"language": "zh-CN"
+}
+---
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+# SQL黑名单
+
+支持按用户配置SQL黑名单,通过正则匹配的方式拒绝指定SQL
+
+## 具体操作
+
+对SQL规则增删改查
+- 创建SQL阻止规则
+ - user:规则生效的用户,default代表所有用户都生效,如果同时命中指定用户和default的规则,default规则优先
+ - sql:匹配规则(基于正则匹配,特殊字符需要转译)
+ - sqlHash: sql hash值,用于完全匹配,我们会在`fe.audit.log`打印这个值
+ - enable:是否开启阻止规则
+> CREATE SQL_BLOCK_RULE test_rule PROPERTIES("user"="default","sql"="select
\\* from test_table","sqlHash":null,"enable"="true")
Review comment:
This markdown format seems not right...
For code part, it should be wrapped by ``.
##########
File path:
fe/fe-core/src/main/java/org/apache/doris/blockrule/SqlBlockRuleMgr.java
##########
@@ -0,0 +1,239 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.blockrule;
+
+import org.apache.doris.analysis.AlterSqlBlockRuleStmt;
+import org.apache.doris.analysis.CreateSqlBlockRuleStmt;
+import org.apache.doris.analysis.DropSqlBlockRuleStmt;
+import org.apache.doris.analysis.ShowSqlBlockRuleStmt;
+import org.apache.doris.catalog.Catalog;
+import org.apache.doris.common.AnalysisException;
+import org.apache.doris.common.DdlException;
+import org.apache.doris.common.ErrorCode;
+import org.apache.doris.common.ErrorReport;
+import org.apache.doris.common.UserException;
+import org.apache.doris.common.io.Writable;
+import org.apache.doris.metric.MetricRepo;
+import org.apache.doris.mysql.privilege.PrivPredicate;
+import org.apache.doris.qe.ConnectContext;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.collect.Lists;
+import com.google.common.collect.Maps;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import java.io.DataInput;
+import java.io.DataOutput;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.locks.ReentrantReadWriteLock;
+import java.util.regex.Pattern;
+
+public class SqlBlockRuleMgr implements Writable {
Review comment:
SQL block rule is a "per user" property, so it is better to put it to
the `UserProperty`?
##########
File path: fe/fe-core/src/main/cup/sql_parser.cup
##########
@@ -1827,6 +1837,10 @@ drop_stmt ::=
{:
RESULT = new DropResourceStmt(resourceName);
:}
+ | KW_DROP KW_SQL_BLOCK_RULE ident_list:ruleNames
Review comment:
Can different user have same rule name? If yes, how to handle it? If no,
how to check it?
Maybe you should write like: `drop sql_block_rule FROM username ...`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org
