This is an automated email from the ASF dual-hosted git repository.
morningman pushed a commit to branch branch-2.1
in repository https://gitbox.apache.org/repos/asf/doris.git
commit 0a2d7379fcf86c7ea7aab628c34517d01e8db74e
Author: zhangdong <493738...@qq.com>
AuthorDate: Mon Mar 18 14:59:03 2024 +0800
[enhance](auth)row policy support catalog and match name instead id (#32310)
Follow up #32137
storage name instead id to meta,Prevent table deletion and reconstruction
and causing ID changes
---
.../org/apache/doris/analysis/StmtRewriter.java | 15 ++-
.../mysql/privilege/AccessControllerManager.java | 3 +-
.../mysql/privilege/CatalogAccessController.java | 4 +-
.../mysql/privilege/InternalAccessController.java | 19 +---
.../trees/plans/logical/LogicalCheckPolicy.java | 9 +-
.../org/apache/doris/policy/DropPolicyLog.java | 42 +++++--
.../main/java/org/apache/doris/policy/Policy.java | 11 +-
.../java/org/apache/doris/policy/PolicyMgr.java | 126 +++++++++++++++++----
.../java/org/apache/doris/policy/RowPolicy.java | 44 +++++--
.../apache/doris/datasource/ColumnPrivTest.java | 3 +-
.../nereids/privileges/TestCheckPrivileges.java | 2 +-
11 files changed, 183 insertions(+), 95 deletions(-)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/StmtRewriter.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/StmtRewriter.java
index 0c6c71b7c2f..62737131b62 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/StmtRewriter.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/StmtRewriter.java
@@ -21,10 +21,8 @@
package org.apache.doris.analysis;
import org.apache.doris.catalog.Column;
-import org.apache.doris.catalog.DatabaseIf;
import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.ScalarType;
-import org.apache.doris.catalog.TableIf;
import org.apache.doris.catalog.Type;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.TableAliasGenerator;
@@ -1327,16 +1325,17 @@ public class StmtRewriter {
if (!(tableRef instanceof BaseTableRef)) {
continue;
}
- TableIf table = tableRef.getTable();
+ String tableName = tableRef.getName().getTbl();
String dbName = tableRef.getName().getDb();
if (dbName == null) {
dbName = analyzer.getDefaultDb();
}
- DatabaseIf db =
currentEnv.getCatalogMgr().getCatalogOrAnalysisException(tableRef.getName().getCtl())
- .getDbOrAnalysisException(dbName);
- long dbId = db.getId();
- long tableId = table.getId();
- RowPolicy matchPolicy =
currentEnv.getPolicyMgr().getMatchTablePolicy(dbId, tableId,
currentUserIdentity);
+ String ctlName = tableRef.getName().getCtl();
+ if (ctlName == null) {
+ ctlName = analyzer.getDefaultCatalog();
+ }
+ RowPolicy matchPolicy = currentEnv.getPolicyMgr()
+ .getMatchTablePolicy(ctlName, dbName, tableName,
currentUserIdentity);
if (matchPolicy == null) {
continue;
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
index 85392695237..3a264d6d217 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
@@ -22,7 +22,6 @@ import org.apache.doris.analysis.UserIdentity;
import org.apache.doris.catalog.AuthorizationInfo;
import org.apache.doris.catalog.Env;
import
org.apache.doris.catalog.authorizer.ranger.doris.RangerDorisAccessController;
-import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.Config;
import org.apache.doris.common.UserException;
import org.apache.doris.datasource.CatalogIf;
@@ -273,7 +272,7 @@ public class AccessControllerManager {
}
public List<? extends RowFilterPolicy> evalRowFilterPolicies(UserIdentity
currentUser, String
- ctl, String db, String tbl) throws AnalysisException {
+ ctl, String db, String tbl) {
Objects.requireNonNull(currentUser, "require currentUser object");
Objects.requireNonNull(ctl, "require ctl object");
Objects.requireNonNull(db, "require db object");
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/CatalogAccessController.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/CatalogAccessController.java
index aa51856231c..65906b700c3 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/CatalogAccessController.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/CatalogAccessController.java
@@ -18,7 +18,6 @@
package org.apache.doris.mysql.privilege;
import org.apache.doris.analysis.UserIdentity;
-import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.AuthorizationException;
import java.util.List;
@@ -80,6 +79,5 @@ public interface CatalogAccessController {
Optional<DataMaskPolicy> evalDataMaskPolicy(UserIdentity currentUser,
String ctl, String db, String tbl,
String col);
- List<? extends RowFilterPolicy> evalRowFilterPolicies(UserIdentity
currentUser, String ctl, String db, String tbl)
- throws AnalysisException;
+ List<? extends RowFilterPolicy> evalRowFilterPolicies(UserIdentity
currentUser, String ctl, String db, String tbl);
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/InternalAccessController.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/InternalAccessController.java
index f303d758dc4..485c6606ca2 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/InternalAccessController.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/InternalAccessController.java
@@ -18,15 +18,8 @@
package org.apache.doris.mysql.privilege;
import org.apache.doris.analysis.UserIdentity;
-import org.apache.doris.catalog.Database;
import org.apache.doris.catalog.Env;
-import org.apache.doris.catalog.Table;
-import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.AuthorizationException;
-import org.apache.doris.datasource.InternalCatalog;
-import org.apache.doris.policy.PolicyMgr;
-
-import com.google.common.collect.Lists;
import java.util.List;
import java.util.Optional;
@@ -83,15 +76,7 @@ public class InternalAccessController implements
CatalogAccessController {
@Override
public List<? extends RowFilterPolicy> evalRowFilterPolicies(UserIdentity
currentUser, String ctl, String db,
- String tbl)
- throws AnalysisException {
- // current not support external catalog
- if (!InternalCatalog.INTERNAL_CATALOG_NAME.equals(ctl)) {
- return Lists.newArrayList();
- }
- PolicyMgr policyMgr = Env.getCurrentEnv().getPolicyMgr();
- Database database =
Env.getCurrentEnv().getInternalCatalog().getDbOrAnalysisException(db);
- Table table = database.getTableOrAnalysisException(tbl);
- return policyMgr.getUserPolicies(database.getId(), table.getId(),
currentUser);
+ String tbl) {
+ return Env.getCurrentEnv().getPolicyMgr().getUserPolicies(ctl, db,
tbl, currentUser);
}
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/logical/LogicalCheckPolicy.java
b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/logical/LogicalCheckPolicy.java
index e7ed8bf20ad..54f38034761 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/logical/LogicalCheckPolicy.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/logical/LogicalCheckPolicy.java
@@ -133,13 +133,8 @@ public class LogicalCheckPolicy<CHILD_TYPE extends Plan>
extends LogicalUnary<CH
String ctlName = catalogRelation.getDatabase().getCatalog().getName();
String dbName = catalogRelation.getDatabase().getFullName();
String tableName = catalogRelation.getTable().getName();
- List<? extends RowFilterPolicy> policies = null;
- try {
- policies =
accessManager.evalRowFilterPolicies(currentUserIdentity, ctlName,
- dbName, tableName);
- } catch (org.apache.doris.common.AnalysisException e) {
- throw new AnalysisException(e.getMessage(), e);
- }
+ List<? extends RowFilterPolicy> policies =
accessManager.evalRowFilterPolicies(currentUserIdentity, ctlName,
+ dbName, tableName);
if (policies.isEmpty()) {
return Optional.empty();
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/policy/DropPolicyLog.java
b/fe/fe-core/src/main/java/org/apache/doris/policy/DropPolicyLog.java
index 9b58e5b4d99..465c0394f21 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/policy/DropPolicyLog.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/policy/DropPolicyLog.java
@@ -19,18 +19,15 @@ package org.apache.doris.policy;
import org.apache.doris.analysis.DropPolicyStmt;
import org.apache.doris.analysis.UserIdentity;
-import org.apache.doris.catalog.Database;
-import org.apache.doris.catalog.Env;
-import org.apache.doris.catalog.Table;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.io.Text;
import org.apache.doris.common.io.Writable;
import org.apache.doris.persist.gson.GsonUtils;
-import org.apache.doris.qe.ConnectContext;
import com.google.gson.annotations.SerializedName;
import lombok.AllArgsConstructor;
import lombok.Getter;
+import lombok.Setter;
import java.io.DataInput;
import java.io.DataOutput;
@@ -41,14 +38,24 @@ import java.io.IOException;
**/
@AllArgsConstructor
@Getter
+@Setter
public class DropPolicyLog implements Writable {
+ @Deprecated
@SerializedName(value = "dbId")
private long dbId;
+ @Deprecated
@SerializedName(value = "tableId")
private long tableId;
+ @SerializedName(value = "ctlName")
+ private String ctlName;
+ @SerializedName(value = "dbName")
+ private String dbName;
+ @SerializedName(value = "tableName")
+ private String tableName;
+
@SerializedName(value = "type")
private PolicyTypeEnum type;
@@ -61,21 +68,32 @@ public class DropPolicyLog implements Writable {
@SerializedName(value = "roleName")
private String roleName;
+ public DropPolicyLog(PolicyTypeEnum type, String policyName) {
+ this.type = type;
+ this.policyName = policyName;
+ }
+
+ public DropPolicyLog(String ctlName, String dbName, String tableName,
PolicyTypeEnum type, String policyName,
+ UserIdentity user, String roleName) {
+ this.ctlName = ctlName;
+ this.dbName = dbName;
+ this.tableName = tableName;
+ this.type = type;
+ this.policyName = policyName;
+ this.user = user;
+ this.roleName = roleName;
+ }
+
/**
* Generate delete logs through stmt.
**/
public static DropPolicyLog fromDropStmt(DropPolicyStmt stmt) throws
AnalysisException {
switch (stmt.getType()) {
case STORAGE:
- return new DropPolicyLog(-1, -1, stmt.getType(),
stmt.getPolicyName(), null, null);
+ return new DropPolicyLog(stmt.getType(), stmt.getPolicyName());
case ROW:
- String curDb = stmt.getTableName().getDb();
- if (curDb == null) {
- curDb = ConnectContext.get().getDatabase();
- }
- Database db =
Env.getCurrentInternalCatalog().getDbOrAnalysisException(curDb);
- Table table =
db.getTableOrAnalysisException(stmt.getTableName().getTbl());
- return new DropPolicyLog(db.getId(), table.getId(),
stmt.getType(),
+ return new DropPolicyLog(stmt.getTableName().getCtl(),
stmt.getTableName().getDb(),
+ stmt.getTableName().getTbl(), stmt.getType(),
stmt.getPolicyName(), stmt.getUser(),
stmt.getRoleName());
default:
throw new AnalysisException("Invalid policy type: " +
stmt.getType().name());
diff --git a/fe/fe-core/src/main/java/org/apache/doris/policy/Policy.java
b/fe/fe-core/src/main/java/org/apache/doris/policy/Policy.java
index 81603e5c435..81016e94826 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/policy/Policy.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/policy/Policy.java
@@ -19,9 +19,7 @@ package org.apache.doris.policy;
import org.apache.doris.analysis.CreatePolicyStmt;
import org.apache.doris.analysis.UserIdentity;
-import org.apache.doris.catalog.DatabaseIf;
import org.apache.doris.catalog.Env;
-import org.apache.doris.catalog.TableIf;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.DdlException;
import org.apache.doris.common.io.Text;
@@ -113,16 +111,13 @@ public abstract class Policy implements Writable,
GsonPostProcessable {
return storagePolicy;
case ROW:
// stmt must be analyzed.
- DatabaseIf db = Env.getCurrentEnv().getCatalogMgr()
-
.getCatalogOrAnalysisException(stmt.getTableName().getCtl())
- .getDbOrAnalysisException(stmt.getTableName().getDb());
UserIdentity userIdent = stmt.getUser();
if (userIdent != null) {
userIdent.analyze();
}
- TableIf table =
db.getTableOrAnalysisException(stmt.getTableName().getTbl());
- return new RowPolicy(policyId, stmt.getPolicyName(),
db.getId(), userIdent, stmt.getRoleName(),
- stmt.getOrigStmt().originStmt, table.getId(),
stmt.getFilterType(), stmt.getWherePredicate());
+ return new RowPolicy(policyId, stmt.getPolicyName(),
stmt.getTableName().getCtl(),
+ stmt.getTableName().getDb(),
stmt.getTableName().getTbl(), userIdent, stmt.getRoleName(),
+ stmt.getOrigStmt().originStmt, stmt.getFilterType(),
stmt.getWherePredicate());
default:
throw new AnalysisException("Unknown policy type: " +
stmt.getType());
}
diff --git a/fe/fe-core/src/main/java/org/apache/doris/policy/PolicyMgr.java
b/fe/fe-core/src/main/java/org/apache/doris/policy/PolicyMgr.java
index c3ce3f8a7d9..6673cccd0bf 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/policy/PolicyMgr.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/policy/PolicyMgr.java
@@ -34,8 +34,8 @@ import org.apache.doris.common.DdlException;
import org.apache.doris.common.UserException;
import org.apache.doris.common.io.Text;
import org.apache.doris.common.io.Writable;
+import org.apache.doris.datasource.InternalCatalog;
import org.apache.doris.persist.gson.GsonUtils;
-import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.ShowResultSet;
import org.apache.doris.task.AgentBatchTask;
import org.apache.doris.task.AgentTaskExecutor;
@@ -74,8 +74,8 @@ public class PolicyMgr implements Writable {
@SerializedName(value = "typeToPolicyMap")
private Map<PolicyTypeEnum, List<Policy>> typeToPolicyMap =
Maps.newConcurrentMap();
- // dbId -> tableId -> List<RowPolicy>
- private Map<Long, Map<Long, List<RowPolicy>>> tablePolicies =
Maps.newConcurrentMap();
+ // ctlName -> dbName -> tableName -> List<RowPolicy>
+ private Map<String, Map<String, Map<String, List<RowPolicy>>>>
tablePolicies = Maps.newConcurrentMap();
private void writeLock() {
lock.writeLock().lock();
@@ -277,6 +277,25 @@ public class PolicyMgr implements Writable {
}
public void replayCreate(Policy policy) {
+ // for compatible
+ if (policy instanceof RowPolicy) {
+ RowPolicy rowPolicy = (RowPolicy) policy;
+ if (StringUtils.isEmpty(rowPolicy.getCtlName())) {
+ Optional<Database> db =
Env.getCurrentEnv().getInternalCatalog().getDb(rowPolicy.getDbId());
+ if (!db.isPresent()) {
+ LOG.warn("db may be dropped,ignore CreatePolicyLog. dbId:"
+ rowPolicy.getDbId());
+ return;
+ }
+ Optional<Table> table =
db.get().getTable(rowPolicy.getTableId());
+ if (!table.isPresent()) {
+ LOG.warn("table may be dropped,ignore CreatePolicyLog.
tableId:" + rowPolicy.getTableId());
+ return;
+ }
+ rowPolicy.setCtlName(InternalCatalog.INTERNAL_CATALOG_NAME);
+ rowPolicy.setDbName(db.get().getName());
+ rowPolicy.setTableName(table.get().getName());
+ }
+ }
unprotectedAdd(policy);
if (policy instanceof StoragePolicy) {
((StoragePolicy) policy).addResourceReference();
@@ -298,6 +317,22 @@ public class PolicyMgr implements Writable {
}
public void replayDrop(DropPolicyLog log) {
+ // for compatible
+ if (log.getType() == PolicyTypeEnum.ROW &&
StringUtils.isEmpty(log.getCtlName())) {
+ Optional<Database> db =
Env.getCurrentEnv().getInternalCatalog().getDb(log.getDbId());
+ if (!db.isPresent()) {
+ LOG.warn("db may be dropped,ignore DropPolicyLog. dbId:" +
log.getDbId());
+ return;
+ }
+ Optional<Table> table = db.get().getTable(log.getTableId());
+ if (!table.isPresent()) {
+ LOG.warn("table may be dropped,ignore DropPolicyLog. tableId:"
+ log.getTableId());
+ return;
+ }
+ log.setCtlName(InternalCatalog.INTERNAL_CATALOG_NAME);
+ log.setDbName(db.get().getName());
+ log.setTableName(table.get().getName());
+ }
unprotectedDrop(log);
LOG.info("replay drop policy log: {}", log);
}
@@ -333,18 +368,19 @@ public class PolicyMgr implements Writable {
/**
* Match row policy and return it.
**/
- public RowPolicy getMatchTablePolicy(long dbId, long tableId, UserIdentity
user) {
- List<RowPolicy> res = getUserPolicies(dbId, tableId, user);
+ public RowPolicy getMatchTablePolicy(String ctlName, String dbName, String
tableName, UserIdentity user) {
+ List<RowPolicy> res = getUserPolicies(ctlName, dbName, tableName,
user);
if (CollectionUtils.isEmpty(res)) {
return null;
}
return mergeRowPolicies(res);
}
- public List<RowPolicy> getUserPolicies(long dbId, long tableId,
UserIdentity user) {
+ public List<RowPolicy> getUserPolicies(String ctlName, String dbName,
String tableName, UserIdentity user) {
List<RowPolicy> res = Lists.newArrayList();
// Make a judgment in advance to reduce the number of times to obtain
getRoles
- if (!tablePolicies.containsKey(dbId) ||
!tablePolicies.get(dbId).containsKey(tableId)) {
+ if (!tablePolicies.containsKey(ctlName) ||
!tablePolicies.get(ctlName).containsKey(dbName)
+ ||
!tablePolicies.get(ctlName).get(dbName).containsKey(tableName)) {
return res;
}
Set<String> roles =
Env.getCurrentEnv().getAccessManager().getAuth().getRolesByUserWithLdap(user).stream()
@@ -352,10 +388,11 @@ public class PolicyMgr implements Writable {
readLock();
try {
// double check in lock,avoid NPE
- if (!tablePolicies.containsKey(dbId) ||
!tablePolicies.get(dbId).containsKey(tableId)) {
+ if (!tablePolicies.containsKey(ctlName) ||
!tablePolicies.get(ctlName).containsKey(dbName)
+ ||
!tablePolicies.get(ctlName).get(dbName).containsKey(tableName)) {
return res;
}
- List<RowPolicy> policys = tablePolicies.get(dbId).get(tableId);
+ List<RowPolicy> policys =
tablePolicies.get(ctlName).get(dbName).get(tableName);
for (RowPolicy rowPolicy : policys) {
// on rowPolicy to user
if ((rowPolicy.getUser() != null &&
rowPolicy.getUser().getQualifiedUser()
@@ -409,7 +446,6 @@ public class PolicyMgr implements Writable {
**/
public ShowResultSet showPolicy(ShowPolicyStmt showStmt) throws
AnalysisException {
List<List<String>> rows = Lists.newArrayList();
- long currentDbId = ConnectContext.get().getCurrentDbId();
Policy checkedPolicy = null;
switch (showStmt.getType()) {
case STORAGE:
@@ -424,9 +460,6 @@ public class PolicyMgr implements Writable {
if (!StringUtils.isEmpty(showStmt.getRoleName())) {
rowPolicy.setRoleName(showStmt.getRoleName());
}
- if (currentDbId != -1) {
- rowPolicy.setDbId(currentDbId);
- }
checkedPolicy = rowPolicy;
}
final Policy finalCheckedPolicy = checkedPolicy;
@@ -456,28 +489,71 @@ public class PolicyMgr implements Writable {
if (policy.getUser() != null) {
policy.getUser().setIsAnalyzed();
}
- List<RowPolicy> policys = getOrCreateTblPolicies(policy.getDbId(),
policy.getTableId());
+ List<RowPolicy> policys = getOrCreateTblPolicies(policy.getCtlName(),
policy.getDbName(),
+ policy.getTableName());
policys.add(policy);
}
private void dropTablePolicies(RowPolicy policy) {
- List<RowPolicy> policys = getOrCreateTblPolicies(policy.getDbId(),
policy.getTableId());
+ List<RowPolicy> policys = getOrCreateTblPolicies(policy.getCtlName(),
policy.getDbName(),
+ policy.getTableName());
policys.removeIf(p -> p.matchPolicy(policy));
}
- private List<RowPolicy> getOrCreateTblPolicies(long dbId, long tableId) {
- Map<Long, List<RowPolicy>> dbPolicyMap = getOrCreateDbPolicyMap(dbId);
- if (!dbPolicyMap.containsKey(tableId)) {
- dbPolicyMap.put(tableId, Lists.newArrayList());
+ private List<RowPolicy> getOrCreateTblPolicies(String ctlName, String
dbName, String tableName) {
+ Map<String, List<RowPolicy>> dbPolicyMap =
getOrCreateDbPolicyMap(ctlName, dbName);
+ if (!dbPolicyMap.containsKey(tableName)) {
+ dbPolicyMap.put(tableName, Lists.newArrayList());
}
- return dbPolicyMap.get(tableId);
+ return dbPolicyMap.get(tableName);
}
- private Map<Long, List<RowPolicy>> getOrCreateDbPolicyMap(Long dbId) {
- if (!tablePolicies.containsKey(dbId)) {
- tablePolicies.put(dbId, Maps.newConcurrentMap());
+ private Map<String, List<RowPolicy>> getOrCreateDbPolicyMap(String
ctlName, String dbName) {
+ Map<String, Map<String, List<RowPolicy>>> ctlPolicyMap =
getOrCreateCtlPolicyMap(ctlName);
+ if (!ctlPolicyMap.containsKey(dbName)) {
+ ctlPolicyMap.put(dbName, Maps.newConcurrentMap());
+ }
+ return ctlPolicyMap.get(dbName);
+ }
+
+ private Map<String, Map<String, List<RowPolicy>>>
getOrCreateCtlPolicyMap(String ctlName) {
+ if (!tablePolicies.containsKey(ctlName)) {
+ tablePolicies.put(ctlName, Maps.newConcurrentMap());
+ }
+ return tablePolicies.get(ctlName);
+ }
+
+ private void compatible() {
+ readLock();
+ try {
+ if (!typeToPolicyMap.containsKey(PolicyTypeEnum.ROW)) {
+ return;
+ }
+ List<Policy> allPolicies = typeToPolicyMap.get(PolicyTypeEnum.ROW);
+ List<Policy> compatiblePolicies = Lists.newArrayList();
+ for (Policy policy : allPolicies) {
+ RowPolicy rowPolicy = (RowPolicy) policy;
+ if (StringUtils.isEmpty(rowPolicy.getCtlName())) {
+ Optional<Database> db =
Env.getCurrentEnv().getInternalCatalog().getDb(rowPolicy.getDbId());
+ if (!db.isPresent()) {
+ LOG.warn("db may be dropped,ignore DropPolicyLog.
dbId:" + rowPolicy.getDbId());
+ continue;
+ }
+ Optional<Table> table =
db.get().getTable(rowPolicy.getTableId());
+ if (!table.isPresent()) {
+ LOG.warn("table may be dropped,ignore DropPolicyLog.
tableId:" + rowPolicy.getTableId());
+ continue;
+ }
+
rowPolicy.setCtlName(InternalCatalog.INTERNAL_CATALOG_NAME);
+ rowPolicy.setDbName(db.get().getName());
+ rowPolicy.setTableName(table.get().getName());
+ }
+ compatiblePolicies.add(rowPolicy);
+ }
+ typeToPolicyMap.put(PolicyTypeEnum.ROW, compatiblePolicies);
+ } finally {
+ readUnlock();
}
- return tablePolicies.get(dbId);
}
/**
@@ -510,6 +586,8 @@ public class PolicyMgr implements Writable {
public static PolicyMgr read(DataInput in) throws IOException {
String json = Text.readString(in);
PolicyMgr policyMgr = GsonUtils.GSON.fromJson(json, PolicyMgr.class);
+ // for compatible
+ policyMgr.compatible();
// update merge policy cache and userPolicySet
policyMgr.updateTablePolicies();
return policyMgr;
diff --git a/fe/fe-core/src/main/java/org/apache/doris/policy/RowPolicy.java
b/fe/fe-core/src/main/java/org/apache/doris/policy/RowPolicy.java
index 86dbeca28d2..2b52c03b7d5 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/policy/RowPolicy.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/policy/RowPolicy.java
@@ -23,10 +23,7 @@ import org.apache.doris.analysis.SqlParser;
import org.apache.doris.analysis.SqlScanner;
import org.apache.doris.analysis.UserIdentity;
import org.apache.doris.catalog.Column;
-import org.apache.doris.catalog.Database;
-import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.ScalarType;
-import org.apache.doris.catalog.Table;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.util.SqlParserUtils;
import org.apache.doris.mysql.privilege.RowFilterPolicy;
@@ -57,6 +54,7 @@ public class RowPolicy extends Policy implements
RowFilterPolicy {
public static final ShowResultSetMetaData ROW_META_DATA =
ShowResultSetMetaData.builder()
.addColumn(new Column("PolicyName",
ScalarType.createVarchar(100)))
+ .addColumn(new Column("CatalogName",
ScalarType.createVarchar(100)))
.addColumn(new Column("DbName",
ScalarType.createVarchar(100)))
.addColumn(new Column("TableName",
ScalarType.createVarchar(100)))
.addColumn(new Column("Type",
ScalarType.createVarchar(20)))
@@ -79,11 +77,20 @@ public class RowPolicy extends Policy implements
RowFilterPolicy {
private String roleName = null;
@SerializedName(value = "dbId")
+ @Deprecated
private long dbId = -1;
@SerializedName(value = "tableId")
+ @Deprecated
private long tableId = -1;
+ @SerializedName(value = "ctlName")
+ private String ctlName;
+ @SerializedName(value = "dbName")
+ private String dbName;
+ @SerializedName(value = "tableName")
+ private String tableName;
+
/**
* PERMISSIVE | RESTRICTIVE, If multiple types exist, the last type
prevails.
**/
@@ -128,13 +135,25 @@ public class RowPolicy extends Policy implements
RowFilterPolicy {
this.wherePredicate = wherePredicate;
}
+ public RowPolicy(long policyId, final String policyName, String ctlName,
String dbName, String tableName,
+ UserIdentity user, String roleName,
+ String originStmt, final FilterType filterType, final Expr
wherePredicate) {
+ super(policyId, PolicyTypeEnum.ROW, policyName);
+ this.user = user;
+ this.roleName = roleName;
+ this.ctlName = ctlName;
+ this.dbName = dbName;
+ this.tableName = tableName;
+ this.filterType = filterType;
+ this.originStmt = originStmt;
+ this.wherePredicate = wherePredicate;
+ }
+
/**
* Use for SHOW POLICY.
**/
public List<String> getShowInfo() throws AnalysisException {
- Database database =
Env.getCurrentInternalCatalog().getDbOrAnalysisException(this.dbId);
- Table table = database.getTableOrAnalysisException(this.tableId);
- return Lists.newArrayList(this.policyName, database.getFullName(),
table.getName(), this.type.name(),
+ return Lists.newArrayList(this.policyName, ctlName, dbName, tableName,
this.type.name(),
this.filterType.name(), this.wherePredicate.toSql(),
this.user == null ? null : this.user.getQualifiedUser(),
this.roleName, this.originStmt);
}
@@ -161,11 +180,12 @@ public class RowPolicy extends Policy implements
RowFilterPolicy {
this.filterType, this.wherePredicate);
}
- private boolean checkMatched(long dbId, long tableId, PolicyTypeEnum type,
+ private boolean checkMatched(String ctlName, String dbName, String
tableName, PolicyTypeEnum type,
String policyName, UserIdentity user, String roleName) {
return super.checkMatched(type, policyName)
- && (dbId == -1 || dbId == this.dbId)
- && (tableId == -1 || tableId == this.tableId)
+ && (StringUtils.isEmpty(ctlName) ||
StringUtils.equals(ctlName, this.ctlName))
+ && (StringUtils.isEmpty(dbName) || StringUtils.equals(dbName,
this.dbName))
+ && (StringUtils.isEmpty(tableName) ||
StringUtils.equals(tableName, this.tableName))
&& (StringUtils.isEmpty(roleName) ||
StringUtils.equals(roleName, this.roleName))
&& (user == null || Objects.equals(user, this.user));
}
@@ -176,13 +196,15 @@ public class RowPolicy extends Policy implements
RowFilterPolicy {
return false;
}
RowPolicy rowPolicy = (RowPolicy) checkedPolicyCondition;
- return checkMatched(rowPolicy.getDbId(), rowPolicy.getTableId(),
rowPolicy.getType(),
+ return checkMatched(rowPolicy.getCtlName(), rowPolicy.getDbName(),
rowPolicy.getTableName(),
+ rowPolicy.getType(),
rowPolicy.getPolicyName(), rowPolicy.getUser(),
rowPolicy.getRoleName());
}
@Override
public boolean matchPolicy(DropPolicyLog checkedDropPolicyLogCondition) {
- return checkMatched(checkedDropPolicyLogCondition.getDbId(),
checkedDropPolicyLogCondition.getTableId(),
+ return checkMatched(checkedDropPolicyLogCondition.getCtlName(),
checkedDropPolicyLogCondition.getDbName(),
+ checkedDropPolicyLogCondition.getTableName(),
checkedDropPolicyLogCondition.getType(),
checkedDropPolicyLogCondition.getPolicyName(),
checkedDropPolicyLogCondition.getUser(),
checkedDropPolicyLogCondition.getRoleName());
}
diff --git
a/fe/fe-core/src/test/java/org/apache/doris/datasource/ColumnPrivTest.java
b/fe/fe-core/src/test/java/org/apache/doris/datasource/ColumnPrivTest.java
index 655217cf391..898eb180fac 100644
--- a/fe/fe-core/src/test/java/org/apache/doris/datasource/ColumnPrivTest.java
+++ b/fe/fe-core/src/test/java/org/apache/doris/datasource/ColumnPrivTest.java
@@ -32,7 +32,6 @@ import org.apache.doris.catalog.Column;
import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.PrimitiveType;
import org.apache.doris.cluster.ClusterNamespace;
-import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.AuthorizationException;
import org.apache.doris.common.FeConstants;
import
org.apache.doris.datasource.test.TestExternalCatalog.TestCatalogProvider;
@@ -327,7 +326,7 @@ public class ColumnPrivTest extends TestWithFeService {
@Override
public List<? extends RowFilterPolicy>
evalRowFilterPolicies(UserIdentity currentUser, String ctl,
- String db, String tbl) throws AnalysisException {
+ String db, String tbl) {
return null;
}
}
diff --git
a/fe/fe-core/src/test/java/org/apache/doris/nereids/privileges/TestCheckPrivileges.java
b/fe/fe-core/src/test/java/org/apache/doris/nereids/privileges/TestCheckPrivileges.java
index e7b6c03da22..7b9c3ccd767 100644
---
a/fe/fe-core/src/test/java/org/apache/doris/nereids/privileges/TestCheckPrivileges.java
+++
b/fe/fe-core/src/test/java/org/apache/doris/nereids/privileges/TestCheckPrivileges.java
@@ -310,7 +310,7 @@ public class TestCheckPrivileges extends TestWithFeService {
@Override
public List<? extends RowFilterPolicy>
evalRowFilterPolicies(UserIdentity currentUser, String ctl, String db,
- String tbl) throws org.apache.doris.common.AnalysisException {
+ String tbl) {
return Lists.newArrayList();
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org
