This is an automated email from the ASF dual-hosted git repository.
morningman pushed a commit to branch auth_replay_bg
in repository https://gitbox.apache.org/repos/asf/doris.git
commit c6f30fadc2aaedbfd164f96874f525325eb66d5f
Author: morningman <morning...@163.com>
AuthorDate: Mon Feb 20 22:06:08 2023 +0800
3
---
.../java/org/apache/doris/analysis/UserIdentity.java | 15 +++++++++++++++
.../java/org/apache/doris/mysql/privilege/Role.java | 19 ++++++++++++++++---
.../org/apache/doris/mysql/privilege/RoleManager.java | 14 ++++++++++----
.../java/org/apache/doris/qe/SessionVariable.java | 10 ++++++++++
4 files changed, 51 insertions(+), 7 deletions(-)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/UserIdentity.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/UserIdentity.java
index 4b50479f66..0dae2ff17a 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/UserIdentity.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/UserIdentity.java
@@ -27,6 +27,7 @@ import org.apache.doris.common.PatternMatcherWrapper;
import org.apache.doris.common.io.Text;
import org.apache.doris.common.io.Writable;
import org.apache.doris.mysql.privilege.Auth;
+import org.apache.doris.mysql.privilege.RoleManager;
import org.apache.doris.persist.gson.GsonPostProcessable;
import org.apache.doris.persist.gson.GsonUtils;
import org.apache.doris.thrift.TUserIdentity;
@@ -210,6 +211,20 @@ public class UserIdentity implements Writable,
GsonPostProcessable {
return tUserIdent;
}
+ // return default_role_rbac_username@host or
default_role_rbac_username@[domain]
+ public String toDefaultRoleName() {
+ StringBuilder sb = new StringBuilder(
+ RoleManager.DEFAULT_ROLE_PREFIX +
ClusterNamespace.getNameFromFullName(user) + "@");
+ if (isDomain) {
+ sb.append("[");
+ }
+ sb.append(host);
+ if (isDomain) {
+ sb.append("]");
+ }
+ return sb.toString();
+ }
+
public static UserIdentity read(DataInput in) throws IOException {
// Use Gson in the VERSION_109
if (Env.getCurrentEnvJournalVersion() < FeMetaVersion.VERSION_109) {
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Role.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Role.java
index 3894a32094..dc7b5a161b 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Role.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Role.java
@@ -546,7 +546,7 @@ public class Role implements Writable, GsonPostProcessable {
PrivBitSet privs = entry.getValue();
if (privs.containsPrivs(Privilege.ADMIN_PRIV, Privilege.NODE_PRIV,
Privilege.USAGE_PRIV)
&& tblPattern.getPrivLevel() != PrivLevel.GLOBAL) {
- LOG.info("retify privs: {} -> {}", tblPattern, privs);
+ LOG.debug("rectify privs {}: {} -> {}", roleName, tblPattern,
privs);
PrivBitSet copiedPrivs = privs.copy();
copiedPrivs.and(PrivBitSet.of(Privilege.ADMIN_PRIV,
Privilege.NODE_PRIV, Privilege.USAGE_PRIV));
modifiedGlobalPrivs.or(copiedPrivs);
@@ -554,7 +554,8 @@ public class Role implements Writable, GsonPostProcessable {
privs.unset(Privilege.USAGE_PRIV.getIdx());
privs.unset(Privilege.NODE_PRIV.getIdx());
privs.unset(Privilege.ADMIN_PRIV.getIdx());
-
+ LOG.debug("alter rectify privs {}: {} -> {}, modified global
priv: {}",
+ roleName, tblPattern, privs, modifiedGlobalPrivs);
}
}
if (!modifiedGlobalPrivs.isEmpty()) {
@@ -565,6 +566,9 @@ public class Role implements Writable, GsonPostProcessable {
privBitSet.or(modifiedGlobalPrivs);
}
}
+
+ // rebuild these priv tables
+ rebuildPrivTables();
}
@Override
@@ -621,7 +625,16 @@ public class Role implements Writable, GsonPostProcessable
{
}
@Override
- public void gsonPostProcess() throws IOException {
+ public void gsonPostProcess() {
+ rebuildPrivTables();
+ }
+
+ private void rebuildPrivTables() {
+ globalPrivTable = new GlobalPrivTable();
+ catalogPrivTable = new CatalogPrivTable();
+ dbPrivTable = new DbPrivTable();
+ tablePrivTable = new TablePrivTable();
+ resourcePrivTable = new ResourcePrivTable();
for (Entry<TablePattern, PrivBitSet> entry :
tblPatternToPrivs.entrySet()) {
try {
grantPrivs(entry.getKey(), entry.getValue().copy());
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/RoleManager.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/RoleManager.java
index b09ee99f4f..85a148399c 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/RoleManager.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/RoleManager.java
@@ -30,6 +30,7 @@ import org.apache.doris.common.io.Text;
import org.apache.doris.common.io.Writable;
import org.apache.doris.mysql.privilege.Auth.PrivLevel;
import org.apache.doris.persist.gson.GsonUtils;
+import org.apache.doris.qe.ConnectContext;
import org.apache.doris.system.SystemInfoService;
import com.google.common.base.Joiner;
@@ -122,11 +123,12 @@ public class RoleManager implements Writable {
return existingRole;
}
-
public void getRoleInfo(List<List<String>> results) {
for (Role role : roles.values()) {
if (role.getRoleName().startsWith(DEFAULT_ROLE_PREFIX)) {
- continue;
+ if (ConnectContext.get() == null ||
!ConnectContext.get().getSessionVariable().showUserDefaultRole) {
+ continue;
+ }
}
List<String> info = Lists.newArrayList();
info.add(role.getRoleName());
@@ -181,11 +183,15 @@ public class RoleManager implements Writable {
}
public Role removeDefaultRole(UserIdentity userIdent) {
- return roles.remove(getUserDefaultRoleName(userIdent));
+ Role role = roles.remove(getUserDefaultRoleName(userIdent));
+ if (role == null) {
+ roles.remove(getUserDefaultRoleName(userIdent));
+ }
+ return role;
}
public String getUserDefaultRoleName(UserIdentity userIdentity) {
- return DEFAULT_ROLE_PREFIX + userIdentity.toString();
+ return userIdentity.toDefaultRoleName();
}
public Map<String, Role> getRoles() {
diff --git a/fe/fe-core/src/main/java/org/apache/doris/qe/SessionVariable.java
b/fe/fe-core/src/main/java/org/apache/doris/qe/SessionVariable.java
index d5a6c7e0f7..aba3f899dd 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/qe/SessionVariable.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/qe/SessionVariable.java
@@ -268,6 +268,8 @@ public class SessionVariable implements Serializable,
Writable {
public static final String GROUP_BY_AND_HAVING_USE_ALIAS_FIRST =
"group_by_and_having_use_alias_first";
public static final String DROP_TABLE_IF_CTAS_FAILED =
"drop_table_if_ctas_failed";
+ public static final String SHOW_USER_DEFAULT_ROLE =
"show_user_default_role";
+
// session origin value
public Map<Field, String> sessionOriginValue = new HashMap<Field,
String>();
// check stmt is or not [select /*+ SET_VAR(...)*/ ...]
@@ -707,6 +709,10 @@ public class SessionVariable implements Serializable,
Writable {
@VariableMgr.VarAttr(name = DROP_TABLE_IF_CTAS_FAILED, needForward = true)
public boolean dropTableIfCtasFailed = true;
+ // If this is true, the result of `show roles` will return all user
default role
+ @VariableMgr.VarAttr(name = SHOW_USER_DEFAULT_ROLE, needForward = true)
+ public boolean showUserDefaultRole = false;
+
// If this fe is in fuzzy mode, then will use initFuzzyModeVariables to
generate some variables,
// not the default value set in the code.
public void initFuzzyModeVariables() {
@@ -1471,6 +1477,10 @@ public class SessionVariable implements Serializable,
Writable {
this.enableFileCache = enableFileCache;
}
+ public boolean isShowUserDefaultRole() {
+ return showUserDefaultRole;
+ }
+
/**
* Serialize to thrift object.
* Used for rest api.
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org
