(doris) branch branch-2.1 updated: fix check column privilege failed by hidden column (#34849)

[yiguolei]

This is an automated email from the ASF dual-hosted git repository.

yiguolei pushed a commit to branch branch-2.1
in repository https://gitbox.apache.org/repos/asf/doris.git


The following commit(s) were added to refs/heads/branch-2.1 by this push:
     new 30256195c3f fix check column privilege failed by hidden column (#34849)
30256195c3f is described below

commit 30256195c3f71114557143e3c73f5e24d77af8ce
Author: 924060929 <924060...@qq.com>
AuthorDate: Tue May 14 22:34:23 2024 +0800

    fix check column privilege failed by hidden column (#34849)
    
    fix check column privilege failed by hidden column: DORIS_DELETE_SIGN
---
 .../nereids/rules/rewrite/CheckPrivileges.java     |  6 ++
 .../authorization/column_authorization.groovy      | 65 ++++++++++++++++++++++
 2 files changed, 71 insertions(+)

diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java
 
b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java
index 713a9404dc0..5c82dfac651 100644
--- 
a/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/nereids/rules/rewrite/CheckPrivileges.java
@@ -26,6 +26,7 @@ import org.apache.doris.nereids.exceptions.AnalysisException;
 import org.apache.doris.nereids.jobs.JobContext;
 import org.apache.doris.nereids.rules.analysis.UserAuthentication;
 import org.apache.doris.nereids.trees.expressions.Slot;
+import org.apache.doris.nereids.trees.expressions.SlotReference;
 import org.apache.doris.nereids.trees.plans.Plan;
 import org.apache.doris.nereids.trees.plans.logical.LogicalCatalogRelation;
 import org.apache.doris.nereids.trees.plans.logical.LogicalRelation;
@@ -81,6 +82,11 @@ public class CheckPrivileges extends ColumnPruning {
         for (Slot requiredSlot : requiredSlots) {
             Slot slot = idToSlot.get(requiredSlot.getExprId().asInt());
             if (slot != null) {
+                // don't check privilege for hidden column, e.g. 
__DORIS_DELETE_SIGN__
+                if (slot instanceof SlotReference && ((SlotReference) 
slot).getColumn().isPresent()
+                        && !((SlotReference) 
slot).getColumn().get().isVisible()) {
+                    continue;
+                }
                 usedColumns.add(slot.getName());
             }
         }
diff --git 
a/regression-test/suites/nereids_p0/authorization/column_authorization.groovy 
b/regression-test/suites/nereids_p0/authorization/column_authorization.groovy
new file mode 100644
index 00000000000..9bd1c512acc
--- /dev/null
+++ 
b/regression-test/suites/nereids_p0/authorization/column_authorization.groovy
@@ -0,0 +1,65 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+suite("column_authorization") {
+    def db = context.config.getDbNameByFile(context.file)
+    def user1 = "test_unique_table_auth_user1"
+    def baseTable = "test_unique_table_auth_base_table"
+
+
+    sql "drop table if exists ${baseTable}"
+
+    sql """
+        CREATE TABLE ${baseTable} (id INT, name TEXT)
+            unique key(id)
+            DISTRIBUTED BY HASH(`id`)
+            PROPERTIES (
+            "replication_allocation" = "tag.location.default: 1"
+        );
+        """
+
+    sql "insert into ${baseTable} values(1, 'hello'), (2, 'world'), (3, 
'doris');"
+
+    sql "drop user if exists ${user1}"
+    sql "create user ${user1}"
+    sql "grant SELECT_PRIV(id) on ${db}.${baseTable} to '${user1}'@'%';"
+
+    //cloud-mode
+    if (isCloudMode()) {
+        def clusters = sql " SHOW CLUSTERS; "
+        assertTrue(!clusters.isEmpty())
+        def validCluster = clusters[0][0]
+        sql """GRANT USAGE_PRIV ON CLUSTER ${validCluster} TO ${user1}""";
+    }
+
+    sql 'sync'
+
+    def defaultDbUrl = context.config.jdbcUrl.substring(0, 
context.config.jdbcUrl.lastIndexOf("/"))
+    logger.info("connect to ${defaultDbUrl}".toString())
+    connect(user = user1, password = null, url = defaultDbUrl) {
+        sql "set enable_fallback_to_original_planner=false"
+
+        // no privilege to name
+        test {
+            sql "select * from ${db}.${baseTable}"
+            exception "Permission denied"
+        }
+
+        // has privilege to id, __DORIS_DELETE_SIGN__
+        sql "select id, __DORIS_DELETE_SIGN__ from ${db}.${baseTable}"
+    }
+}


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org