This is an automated email from the ASF dual-hosted git repository.
yiguolei pushed a commit to branch branch-2.1
in repository https://gitbox.apache.org/repos/asf/doris.git
commit c62ff0b672b1b3ec3a24cde33fbd3b4825ce5355
Author: deardeng <565620...@qq.com>
AuthorDate: Sat May 11 10:47:36 2024 +0800
[fix](auth) Disable revoke 'admin' from 'admin'` (#34644)
---
.../java/org/apache/doris/analysis/RevokeStmt.java | 6 +++
.../auth/test_disable_revoke_admin_auth.groovy | 46 ++++++++++++++++++++++
2 files changed, 52 insertions(+)
diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/RevokeStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/RevokeStmt.java
index 8c37396b851..3b2dd7167ad 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/RevokeStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/RevokeStmt.java
@@ -20,6 +20,7 @@ package org.apache.doris.analysis;
import org.apache.doris.catalog.AccessPrivilegeWithCols;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.Config;
+import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.FeNameFormat;
import org.apache.doris.mysql.privilege.ColPrivilegeKey;
import org.apache.doris.mysql.privilege.Privilege;
@@ -34,6 +35,7 @@ import org.apache.commons.collections.MapUtils;
import java.util.List;
import java.util.Map;
import java.util.Set;
+import java.util.stream.Collectors;
// REVOKE STMT
// revoke privilege from some user, this is an administrator operation.
@@ -159,6 +161,10 @@ public class RevokeStmt extends DdlStmt {
GrantStmt.checkWorkloadGroupPrivileges(privileges,
workloadGroupPattern);
} else if (roles != null) {
GrantStmt.checkRolePrivileges();
+ if
(roles.stream().map(String::toLowerCase).collect(Collectors.toList()).contains("admin")
+ && userIdent.isAdminUser()) {
+ ErrorReport.reportAnalysisException("Unsupported operation");
+ }
}
}
diff --git
a/regression-test/suites/cloud_p0/auth/test_disable_revoke_admin_auth.groovy
b/regression-test/suites/cloud_p0/auth/test_disable_revoke_admin_auth.groovy
new file mode 100644
index 00000000000..2a36ecf8879
--- /dev/null
+++ b/regression-test/suites/cloud_p0/auth/test_disable_revoke_admin_auth.groovy
@@ -0,0 +1,46 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+suite("test_disable_revoke_admin_auth", "cloud_auth") {
+ def user = "regression_test_cloud_revoke_admin_user"
+ sql """drop user if exists ${user}"""
+
+ sql """create user ${user} identified by 'Cloud12345' default role
'admin'"""
+
+ sql "sync"
+
+ try {
+ result = sql """revoke 'admin' from 'admin'""";
+ } catch (Exception e) {
+ assertTrue(e.getMessage().contains("Unsupported operation"),
e.getMessage())
+ }
+
+ try {
+ result = connect(user = "${user}", password = 'Cloud12345', url =
context.config.jdbcUrl) {
+ sql """
+ revoke 'admin' from 'admin'
+ """
+ }
+ } catch (Exception e) {
+ assertTrue(e.getMessage().contains("Unsupported operation"),
e.getMessage())
+ }
+
+ result = sql """revoke 'admin' from ${user}"""
+ assertEquals(result[0][0], 0)
+
+ sql """drop user if exists ${user}"""
+}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org
