This is an automated email from the ASF dual-hosted git repository.
yiguolei pushed a commit to branch branch-2.1
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/branch-2.1 by this push:
new d786948b616 branch-2.1: [fix](auth)Privatize the authentication
methods in the Auth class to avoid being called incorrectly #48033 (#48531)
d786948b616 is described below
commit d786948b61654959053eb5ebe113c8e9024d8393
Author: zhangdong <[email protected]>
AuthorDate: Wed Mar 5 12:33:18 2025 +0800
branch-2.1: [fix](auth)Privatize the authentication methods in the Auth
class to avoid being called incorrectly #48033 (#48531)
Cherry-picked from https://github.com/apache/doris/pull/48033
---
.../src/main/java/org/apache/doris/mysql/privilege/Auth.java | 12 ++++++------
.../trees/plans/commands/call/CallExecuteStmtFunc.java | 2 +-
.../trees/plans/commands/call/CallFlushAuditLogFunc.java | 2 +-
.../apache/doris/tablefunction/QueryTableValueFunction.java | 2 +-
4 files changed, 9 insertions(+), 9 deletions(-)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
index 7346daddd7c..e5161a8cc2a 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
@@ -278,7 +278,7 @@ public class Auth implements Writable {
}
// ==== Catalog ====
- public boolean checkCtlPriv(UserIdentity currentUser, String ctl,
PrivPredicate wanted) {
+ protected boolean checkCtlPriv(UserIdentity currentUser, String ctl,
PrivPredicate wanted) {
if (wanted.getPrivs().containsNodePriv()) {
if (LOG.isDebugEnabled()) {
LOG.debug("should not check NODE priv in catalog level. user:
{}, catalog: {}",
@@ -301,7 +301,7 @@ public class Auth implements Writable {
}
// ==== Database ====
- public boolean checkDbPriv(UserIdentity currentUser, String ctl, String
db, PrivPredicate wanted) {
+ protected boolean checkDbPriv(UserIdentity currentUser, String ctl, String
db, PrivPredicate wanted) {
if (wanted.getPrivs().containsNodePriv()) {
if (LOG.isDebugEnabled()) {
LOG.debug("should not check NODE priv in Database level. user:
{}, db: {}",
@@ -325,7 +325,7 @@ public class Auth implements Writable {
}
// ==== Table ====
- public boolean checkTblPriv(UserIdentity currentUser, String ctl, String
db, String tbl, PrivPredicate wanted) {
+ protected boolean checkTblPriv(UserIdentity currentUser, String ctl,
String db, String tbl, PrivPredicate wanted) {
if (wanted.getPrivs().containsNodePriv()) {
if (LOG.isDebugEnabled()) {
LOG.debug("should check NODE priv in GLOBAL level. user: {},
db: {}, tbl: {}", currentUser, db, tbl);
@@ -349,7 +349,7 @@ public class Auth implements Writable {
// ==== Column ====
// The reason why this method throws an exception instead of returning a
boolean is to
// indicate which col does not have permission
- public void checkColsPriv(UserIdentity currentUser, String ctl, String db,
String tbl, Set<String> cols,
+ protected void checkColsPriv(UserIdentity currentUser, String ctl, String
db, String tbl, Set<String> cols,
PrivPredicate wanted) throws AuthorizationException {
Set<Role> roles = getRolesByUserWithLdap(currentUser);
for (String col : cols) {
@@ -372,7 +372,7 @@ public class Auth implements Writable {
}
// ==== Resource ====
- public boolean checkResourcePriv(UserIdentity currentUser, String
resourceName, PrivPredicate wanted) {
+ protected boolean checkResourcePriv(UserIdentity currentUser, String
resourceName, PrivPredicate wanted) {
readLock();
try {
Set<Role> roles = getRolesByUserWithLdap(currentUser);
@@ -388,7 +388,7 @@ public class Auth implements Writable {
}
// ==== Workload Group ====
- public boolean checkWorkloadGroupPriv(UserIdentity currentUser, String
workloadGroupName, PrivPredicate wanted) {
+ protected boolean checkWorkloadGroupPriv(UserIdentity currentUser, String
workloadGroupName, PrivPredicate wanted) {
readLock();
try {
// currently stream load not support ip based auth, so normal
should not auth temporary
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/call/CallExecuteStmtFunc.java
b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/call/CallExecuteStmtFunc.java
index 1e36915c111..4302d277708 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/call/CallExecuteStmtFunc.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/call/CallExecuteStmtFunc.java
@@ -92,7 +92,7 @@ public class CallExecuteStmtFunc extends CallFunc {
}
// check priv
- if (!Env.getCurrentEnv().getAuth().checkCtlPriv(user, catalogName,
PrivPredicate.LOAD)) {
+ if (!Env.getCurrentEnv().getAccessManager().checkCtlPriv(user,
catalogName, PrivPredicate.LOAD)) {
throw new AnalysisException("user " + user + " has no privilege to
execute stmt in catalog " + catalogName);
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/call/CallFlushAuditLogFunc.java
b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/call/CallFlushAuditLogFunc.java
index 60cae55e7f5..8d0beef4e67 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/call/CallFlushAuditLogFunc.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/call/CallFlushAuditLogFunc.java
@@ -48,7 +48,7 @@ public class CallFlushAuditLogFunc extends CallFunc {
@Override
public void run() {
// check priv
- if (!Env.getCurrentEnv().getAuth().checkGlobalPriv(user,
PrivPredicate.ADMIN)) {
+ if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(user,
PrivPredicate.ADMIN)) {
throw new AnalysisException("Only admin can flush audit log");
}
// flush audit log
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/tablefunction/QueryTableValueFunction.java
b/fe/fe-core/src/main/java/org/apache/doris/tablefunction/QueryTableValueFunction.java
index 07a125836b7..269ebdeab42 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/tablefunction/QueryTableValueFunction.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/tablefunction/QueryTableValueFunction.java
@@ -62,7 +62,7 @@ public abstract class QueryTableValueFunction extends
TableValuedFunctionIf {
// check priv
UserIdentity userIdentity =
ConnectContext.get().getCurrentUserIdentity();
- if (!Env.getCurrentEnv().getAuth().checkCtlPriv(userIdentity,
catalogName, PrivPredicate.SELECT)) {
+ if (!Env.getCurrentEnv().getAccessManager().checkCtlPriv(userIdentity,
catalogName, PrivPredicate.SELECT)) {
throw new org.apache.doris.nereids.exceptions.AnalysisException(
"user " + userIdentity + " has no privilege to query in
catalog " + catalogName);
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
