This is an automated email from the ASF dual-hosted git repository.
yiguolei pushed a commit to branch branch-2.1
in repository https://gitbox.apache.org/repos/asf/doris.git
commit 71314595be1848ebfa60f19b5a67859a995a9956
Author: Mingyu Chen <morning...@163.com>
AuthorDate: Mon Apr 22 14:34:18 2024 +0800
[Enhancement](ranger) Disable some permission operations when Ranger or
LDAP are enabled (#32538) (#33957)
bp #32538
Co-authored-by: yongjinhou <109586248+yongjin...@users.noreply.github.com>
---
.../src/main/java/org/apache/doris/analysis/CreateRoleStmt.java | 7 +++++++
.../src/main/java/org/apache/doris/analysis/CreateUserStmt.java | 8 ++++++++
.../src/main/java/org/apache/doris/analysis/DropRoleStmt.java | 7 +++++++
.../src/main/java/org/apache/doris/analysis/DropUserStmt.java | 7 +++++++
fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java | 6 ++++++
.../src/main/java/org/apache/doris/analysis/RevokeStmt.java | 5 +++++
6 files changed, 40 insertions(+)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateRoleStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateRoleStmt.java
index 0a60a3060c3..9021402d48a 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateRoleStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateRoleStmt.java
@@ -18,6 +18,8 @@
package org.apache.doris.analysis;
import org.apache.doris.catalog.Env;
+import org.apache.doris.common.AnalysisException;
+import org.apache.doris.common.Config;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.FeNameFormat;
@@ -60,6 +62,11 @@ public class CreateRoleStmt extends DdlStmt {
@Override
public void analyze(Analyzer analyzer) throws UserException {
super.analyze(analyzer);
+
+ if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")) {
+ throw new AnalysisException("Create role is prohibited when Ranger
is enabled.");
+ }
+
FeNameFormat.checkRoleName(role, false /* can not be admin */, "Can
not create role");
// check if current user has GRANT priv on GLOBAL level.
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateUserStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateUserStmt.java
index d8c589bf0b7..fad62800c71 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateUserStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateUserStmt.java
@@ -18,9 +18,12 @@
package org.apache.doris.analysis;
import org.apache.doris.catalog.Env;
+import org.apache.doris.common.AnalysisException;
+import org.apache.doris.common.Config;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.FeNameFormat;
+import org.apache.doris.common.LdapConfig;
import org.apache.doris.common.UserException;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.mysql.privilege.Role;
@@ -115,6 +118,11 @@ public class CreateUserStmt extends DdlStmt {
@Override
public void analyze(Analyzer analyzer) throws UserException {
super.analyze(analyzer);
+
+ if (Config.access_controller_type.equalsIgnoreCase("ranger-doris") &&
LdapConfig.ldap_authentication_enabled) {
+ throw new AnalysisException("Create user is prohibited when Ranger
and LDAP are enabled at same time.");
+ }
+
userIdent.analyze();
if (userIdent.isRootUser()) {
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropRoleStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropRoleStmt.java
index df087432a0a..468b86579f4 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropRoleStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropRoleStmt.java
@@ -18,6 +18,8 @@
package org.apache.doris.analysis;
import org.apache.doris.catalog.Env;
+import org.apache.doris.common.AnalysisException;
+import org.apache.doris.common.Config;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.FeNameFormat;
@@ -50,6 +52,11 @@ public class DropRoleStmt extends DdlStmt {
@Override
public void analyze(Analyzer analyzer) throws UserException {
super.analyze(analyzer);
+
+ if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")) {
+ throw new AnalysisException("Drop role is prohibited when Ranger
is enabled.");
+ }
+
FeNameFormat.checkRoleName(role, false /* can not be superuser */,
"Can not drop role");
// check if current user has GRANT priv on GLOBAL level.
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropUserStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropUserStmt.java
index 61b9fdc7ab5..4b8196ad638 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/DropUserStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/DropUserStmt.java
@@ -19,8 +19,10 @@ package org.apache.doris.analysis;
import org.apache.doris.catalog.Env;
import org.apache.doris.common.AnalysisException;
+import org.apache.doris.common.Config;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
+import org.apache.doris.common.LdapConfig;
import org.apache.doris.common.UserException;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
@@ -53,6 +55,11 @@ public class DropUserStmt extends DdlStmt {
@Override
public void analyze(Analyzer analyzer) throws AnalysisException,
UserException {
super.analyze(analyzer);
+
+ if (Config.access_controller_type.equalsIgnoreCase("ranger-doris") &&
LdapConfig.ldap_authentication_enabled) {
+ throw new AnalysisException("Drop user is prohibited when Ranger
and LDAP are enabled at same time.");
+ }
+
userIdent.analyze();
if (userIdent.isRootUser()) {
diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java
index f752ab7aae9..883a8edafc5 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/GrantStmt.java
@@ -21,6 +21,7 @@ import org.apache.doris.analysis.CompoundPredicate.Operator;
import org.apache.doris.catalog.AccessPrivilegeWithCols;
import org.apache.doris.catalog.Env;
import org.apache.doris.common.AnalysisException;
+import org.apache.doris.common.Config;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.FeNameFormat;
@@ -137,6 +138,11 @@ public class GrantStmt extends DdlStmt {
@Override
public void analyze(Analyzer analyzer) throws UserException {
super.analyze(analyzer);
+
+ if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")) {
+ throw new AnalysisException("Grant is prohibited when Ranger is
enabled.");
+ }
+
if (userIdent != null) {
userIdent.analyze();
} else {
diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/RevokeStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/RevokeStmt.java
index e586da88cc8..8c37396b851 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/RevokeStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/RevokeStmt.java
@@ -19,6 +19,7 @@ package org.apache.doris.analysis;
import org.apache.doris.catalog.AccessPrivilegeWithCols;
import org.apache.doris.common.AnalysisException;
+import org.apache.doris.common.Config;
import org.apache.doris.common.FeNameFormat;
import org.apache.doris.mysql.privilege.ColPrivilegeKey;
import org.apache.doris.mysql.privilege.Privilege;
@@ -116,6 +117,10 @@ public class RevokeStmt extends DdlStmt {
@Override
public void analyze(Analyzer analyzer) throws AnalysisException {
+ if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")) {
+ throw new AnalysisException("Revoke is prohibited when Ranger is
enabled.");
+ }
+
if (userIdent != null) {
userIdent.analyze();
} else {
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org
