(doris) branch branch-2.1 updated: branch-2.1: [fix](auth) fix use database stmt access unauthorized catalog #45720 (#45978)

Sun, 29 Dec 2024 18:43:41 -0800 

This is an automated email from the ASF dual-hosted git repository.

yiguolei pushed a commit to branch branch-2.1
in repository https://gitbox.apache.org/repos/asf/doris.git


The following commit(s) were added to refs/heads/branch-2.1 by this push:
     new 5425e4686b5 branch-2.1: [fix](auth) fix use  database stmt access  
unauthorized  catalog #45720 (#45978)
5425e4686b5 is described below

commit 5425e4686b57eb95ef2306a99120ef9e1deeadb0
Author: github-actions[bot] 
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Mon Dec 30 10:43:28 2024 +0800

    branch-2.1: [fix](auth) fix use  database stmt access  unauthorized  
catalog #45720 (#45978)
    
    Cherry-picked from #45720
    
    Co-authored-by: Petrichor <[email protected]>
---
 .../java/org/apache/doris/analysis/UseStmt.java    |  9 ++-
 .../nereids_commands/test_use_database_stmt.out    |  7 ++
 .../nereids_commands/test_use_database_stmt.groovy | 76 ++++++++++++++++++++++
 3 files changed, 87 insertions(+), 5 deletions(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/analysis/UseStmt.java 
b/fe/fe-core/src/main/java/org/apache/doris/analysis/UseStmt.java
index 6bf7ce0bc03..39751313abc 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/UseStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/UseStmt.java
@@ -75,12 +75,11 @@ public class UseStmt extends StatementBase {
         if (Strings.isNullOrEmpty(database)) {
             ErrorReport.reportAnalysisException(ErrorCode.ERR_NO_DB_ERROR);
         }
-
+        String currentCatalogName = catalogName == null ? 
ConnectContext.get().getDefaultCatalog() : catalogName;
         if (!Env.getCurrentEnv().getAccessManager()
-                .checkDbPriv(ConnectContext.get(), 
ConnectContext.get().getDefaultCatalog(), database,
-                        PrivPredicate.SHOW)) {
-            
ErrorReport.reportAnalysisException(ErrorCode.ERR_DBACCESS_DENIED_ERROR,
-                    analyzer.getQualifiedUser(), database);
+                .checkDbPriv(ConnectContext.get(), currentCatalogName, 
database, PrivPredicate.SHOW)) {
+            
ErrorReport.reportAnalysisException(ErrorCode.ERR_DBACCESS_DENIED_ERROR, 
analyzer.getQualifiedUser(),
+                    database);
         }
     }
 
diff --git 
a/regression-test/data/external_table_p0/nereids_commands/test_use_database_stmt.out
 
b/regression-test/data/external_table_p0/nereids_commands/test_use_database_stmt.out
new file mode 100644
index 00000000000..f403e40f223
--- /dev/null
+++ 
b/regression-test/data/external_table_p0/nereids_commands/test_use_database_stmt.out
@@ -0,0 +1,7 @@
+-- This file is automatically generated. You should know what you did if you 
want to edit this
+-- !sql --
+internal
+
+-- !sql --
+internal
+
diff --git 
a/regression-test/suites/external_table_p0/nereids_commands/test_use_database_stmt.groovy
 
b/regression-test/suites/external_table_p0/nereids_commands/test_use_database_stmt.groovy
new file mode 100644
index 00000000000..4c9035d1347
--- /dev/null
+++ 
b/regression-test/suites/external_table_p0/nereids_commands/test_use_database_stmt.groovy
@@ -0,0 +1,76 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+suite("test_use_database_stmt", 
"p0,external,mysql,external_docker,external_docker_mysql") {
+    String enabled = context.config.otherConfigs.get("enableJdbcTest")
+    String externalEnvIp = context.config.otherConfigs.get("externalEnvIp")
+    String s3_endpoint = getS3Endpoint()
+    String bucket = getS3BucketName()
+    String driver_url = 
"https://${bucket}.${s3_endpoint}/regression/jdbc_driver/mysql-connector-java-8.0.25.jar";
+    if (enabled != null && enabled.equalsIgnoreCase("true")) {
+        String catalog_name = "use_db_nereids";
+        String internal_catalog = "internal";
+        String internal_db_name = "testdb";
+        String ex_db_name = "testdb";
+        String user = "kevin"
+        String pwd = "doris@123456"
+        String mysql_port = context.config.otherConfigs.get("mysql_57_port");
+        String[] tokens = context.config.jdbcUrl.split('/')
+        String url=tokens[0] + "//" + tokens[2] + "/" + "${internal_db_name}" 
+ "?"
+
+        sql """drop catalog if exists ${catalog_name}; """
+        sql """drop database if exists ${internal_db_name};"""
+
+        sql """switch internal;"""
+        sql """create database ${internal_db_name};"""
+        sql """use ${internal_db_name};"""
+
+        sql """create catalog if not exists ${catalog_name} properties(
+            "type"="jdbc",
+            "user"="root",
+            "password"="123456",
+            "jdbc_url" = 
"jdbc:mysql://${externalEnvIp}:${mysql_port}/doris_test?useSSL=false",
+            "driver_url" = "${driver_url}",
+            "driver_class" = "com.mysql.cj.jdbc.Driver"
+        );"""
+
+        sql """CALL EXECUTE_STMT("${catalog_name}", "drop database if exists 
${ex_db_name}");"""
+        sql """CALL EXECUTE_STMT("${catalog_name}", "create database if not 
exists ${ex_db_name}");"""
+        sql """switch ${internal_catalog};"""
+
+        try_sql("DROP USER ${user}")
+        sql """CREATE USER ${user}@'%' IDENTIFIED BY '${pwd}';"""
+        sql """GRANT SELECT_PRIV ON ${internal_catalog}.*.* TO 
'${user}'@'%';"""
+
+        connect(user, pwd, url) {
+            try {
+                sql """switch internal"""
+                sql """use ${internal_db_name}"""
+                qt_sql """select current_catalog()"""
+                sql """use ${catalog_name}.${ex_db_name}"""
+                exception"Access denied for user '${user}' to database 
'${ex_db_name}'";
+            } catch (Exception e) {
+                log.info(e.getMessage())
+            }
+            qt_sql """select current_catalog()"""
+        }
+        sql """switch ${internal_catalog}"""
+        sql """drop database if exists ${internal_db_name};"""
+        sql """CALL EXECUTE_STMT("${catalog_name}", "drop database if exists 
${ex_db_name}");"""
+        sql """ drop catalog if exists ${catalog_name} ;"""
+    }
+}


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to