[doris] 01/03: 1

morningman Mon, 20 Feb 2023 06:34:45 -0800

This is an automated email from the ASF dual-hosted git repository.

morningman pushed a commit to branch auth_replay_bg
in repository https://gitbox.apache.org/repos/asf/doris.git


commit c17eceaad4533d628662de19f97e334e0b083ac6
Author: morningman <morning...@163.com>
AuthorDate: Mon Feb 20 18:41:55 2023 +0800

    1
---
 .../src/main/java/org/apache/doris/PaloFe.java     |  6 ++--
 .../main/java/org/apache/doris/catalog/Env.java    |  8 +++--
 .../org/apache/doris/mysql/privilege/Auth.java     | 41 +++++++++++++---------
 .../org/apache/doris/mysql/privilege/Role.java     | 35 ++++++++++++++++++
 .../apache/doris/mysql/privilege/RoleManager.java  |  6 ++++
 .../doris/persist/meta/MetaPersistMethod.java      |  4 +--
 6 files changed, 75 insertions(+), 25 deletions(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/PaloFe.java 
b/fe/fe-core/src/main/java/org/apache/doris/PaloFe.java
index 6fb315dced..61095e141d 100755
--- a/fe/fe-core/src/main/java/org/apache/doris/PaloFe.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/PaloFe.java
@@ -121,7 +121,7 @@ public class PaloFe {
             // check command line options
             checkCommandLineOptions(cmdLineOpts);
 
-            LOG.info("Palo FE starting...");
+            LOG.info("Doris FE starting...");
 
             FrontendOptions.init();
 
@@ -196,7 +196,7 @@ public class PaloFe {
 
     /*
      * -v --version
-     *      Print the version of Palo Frontend
+     *      Print the version of Doris Frontend
      * -h --helper
      *      Specify the helper node when joining a bdb je replication group
      * -i --image
@@ -222,7 +222,7 @@ public class PaloFe {
     private static CommandLineOptions parseArgs(String[] args) {
         CommandLineParser commandLineParser = new DefaultParser();
         Options options = new Options();
-        options.addOption("v", "version", false, "Print the version of Palo 
Frontend");
+        options.addOption("v", "version", false, "Print the version of Doris 
Frontend");
         options.addOption("h", "helper", true, "Specify the helper node when 
joining a bdb je replication group");
         options.addOption("i", "image", true, "Check if the specified image is 
valid");
         options.addOption("b", "bdb", false, "Run bdbje debug tools");
diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/Env.java 
b/fe/fe-core/src/main/java/org/apache/doris/catalog/Env.java
index febad5ea76..55bda1f4dc 100755
--- a/fe/fe-core/src/main/java/org/apache/doris/catalog/Env.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/Env.java
@@ -1350,6 +1350,8 @@ public class Env {
                 }
             }
         }
+
+        auth.rectifyPrivs();
     }
 
     // start all daemon threads only running on Master
@@ -1821,10 +1823,10 @@ public class Env {
         return checksum;
     }
 
-    public long loadPaloAuth(DataInputStream dis, long checksum) throws 
IOException {
+    public long loadAuth(DataInputStream dis, long checksum) throws 
IOException {
         // CAN NOT use Auth.read(), cause this auth instance is already passed 
to DomainResolver
         auth.readFields(dis);
-        LOG.info("finished replay paloAuth from image");
+        LOG.info("finished replay auth from image");
         return checksum;
     }
 
@@ -2095,7 +2097,7 @@ public class Env {
         return checksum;
     }
 
-    public long savePaloAuth(CountingDataOutputStream dos, long checksum) 
throws IOException {
+    public long saveAuth(CountingDataOutputStream dos, long checksum) throws 
IOException {
         auth.write(dos);
         return checksum;
     }
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java 
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
index 441573dda1..14af84b91e 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java
@@ -84,7 +84,7 @@ public class Auth implements Writable {
     private static final Logger LOG = LogManager.getLogger(Auth.class);
 
     // root user's role is operator.
-    // each Palo system has only one root user.
+    // each Doris system has only one root user.
     public static final String ROOT_USER = "root";
     public static final String ADMIN_USER = "admin";
     // unknown user does not have any privilege, this is just to be compatible 
with old version.
@@ -1222,13 +1222,13 @@ public class Auth implements Writable {
                                             
.getNameFromFullName(user.getUserIdentity().getQualifiedUser()))
                                     
.concat("\'@\'").concat(user.getUserIdentity().getHost()).concat("\'");
                             String isGrantable = 
tablePrivEntry.getPrivSet().get(2) ? "YES" : "NO"; // GRANT_PRIV
-                            for (Privilege paloPriv : 
tablePrivEntry.getPrivSet().toPrivilegeList()) {
-                                if 
(!Privilege.privInDorisToMysql.containsKey(paloPriv)) {
+                            for (Privilege priv : 
tablePrivEntry.getPrivSet().toPrivilegeList()) {
+                                if 
(!Privilege.privInDorisToMysql.containsKey(priv)) {
                                     continue;
                                 }
                                 TPrivilegeStatus status = new 
TPrivilegeStatus();
                                 status.setTableName(tblName);
-                                
status.setPrivilegeType(Privilege.privInDorisToMysql.get(paloPriv));
+                                
status.setPrivilegeType(Privilege.privInDorisToMysql.get(priv));
                                 status.setGrantee(grantee);
                                 status.setSchema(dbName);
                                 status.setIsGrantable(isGrantable);
@@ -1273,12 +1273,12 @@ public class Auth implements Writable {
                                             
.getNameFromFullName(user.getUserIdentity().getQualifiedUser()))
                                     
.concat("\'@\'").concat(user.getUserIdentity().getHost()).concat("\'");
                             String isGrantable = 
dbPrivEntry.getPrivSet().get(2) ? "YES" : "NO"; // GRANT_PRIV
-                            for (Privilege paloPriv : 
dbPrivEntry.getPrivSet().toPrivilegeList()) {
-                                if 
(!Privilege.privInDorisToMysql.containsKey(paloPriv)) {
+                            for (Privilege priv : 
dbPrivEntry.getPrivSet().toPrivilegeList()) {
+                                if 
(!Privilege.privInDorisToMysql.containsKey(priv)) {
                                     continue;
                                 }
                                 TPrivilegeStatus status = new 
TPrivilegeStatus();
-                                
status.setPrivilegeType(Privilege.privInDorisToMysql.get(paloPriv));
+                                
status.setPrivilegeType(Privilege.privInDorisToMysql.get(priv));
                                 status.setGrantee(grantee);
                                 status.setSchema(dbName);
                                 status.setIsGrantable(isGrantable);
@@ -1318,8 +1318,8 @@ public class Auth implements Writable {
                                 
.concat(ClusterNamespace.getNameFromFullName(user.getUserIdentity().getQualifiedUser()))
                                 
.concat("\'@\'").concat(user.getUserIdentity().getHost()).concat("\'");
                         String isGrantable = privEntry.getPrivSet().get(2) ? 
"YES" : "NO"; // GRANT_PRIV
-                        for (Privilege paloPriv : 
privEntry.getPrivSet().toPrivilegeList()) {
-                            if (paloPriv == Privilege.ADMIN_PRIV) {
+                        for (Privilege globalPriv : 
privEntry.getPrivSet().toPrivilegeList()) {
+                            if (globalPriv == Privilege.ADMIN_PRIV) {
                                 // ADMIN_PRIV includes all privileges of table 
and resource.
                                 for (String priv : 
Privilege.privInDorisToMysql.values()) {
                                     TPrivilegeStatus status = new 
TPrivilegeStatus();
@@ -1330,11 +1330,11 @@ public class Auth implements Writable {
                                 }
                                 break;
                             }
-                            if 
(!Privilege.privInDorisToMysql.containsKey(paloPriv)) {
+                            if 
(!Privilege.privInDorisToMysql.containsKey(globalPriv)) {
                                 continue;
                             }
                             TPrivilegeStatus status = new TPrivilegeStatus();
-                            
status.setPrivilegeType(Privilege.privInDorisToMysql.get(paloPriv));
+                            
status.setPrivilegeType(Privilege.privInDorisToMysql.get(globalPriv));
                             status.setGrantee(grantee);
                             status.setIsGrantable(isGrantable);
                             userPrivResult.add(status);
@@ -1403,7 +1403,6 @@ public class Auth implements Writable {
         }
     }
 
-
     //tmp for current user can only has one role
     private void setRoleToUser(UserIdentity userIdent, String role) throws 
DdlException {
         // 1. check if role exist
@@ -1416,10 +1415,18 @@ public class Auth implements Writable {
         userRoleManager.addUserRole(userIdent, 
roleManager.getUserDefaultRoleName(userIdent));
     }
 
-    public static Auth read(DataInput in) throws IOException {
-        Auth auth = new Auth();
-        auth.readFields(in);
-        return auth;
+
+    /**
+     * This is a bug that if created a normal user and grant it with 
ADMIN_PRIV/RESOURCE_PRIV/NODE_PRIV
+     * before v1.2, and then upgrade to v1.2, these privileges will be set in 
catalog level, but it should be
+     * in global level.
+     * This method will rectify this bug. And it's logic is same with 
userPrivTable.degradeToInternalCatalogPriv(),
+     * but userPrivTable.degradeToInternalCatalogPriv() only handle the info 
in images, not in edit log.
+     * This rectifyPrivs() will be called after image and edit log replayed.
+     * So it will rectify the bug in both images and edit log.
+     */
+    public void rectifyPrivs() {
+        roleManager.rectifyPrivs();
     }
 
     @Override
@@ -1450,7 +1457,7 @@ public class Auth implements Writable {
                 catalogPrivTable = (CatalogPrivTable) PrivTable.read(in);
             } else {
                 catalogPrivTable = 
userPrivTable.degradeToInternalCatalogPriv();
-                LOG.info("Load PaloAuth from meta version < {}, degrade 
UserPrivTable to CatalogPrivTable",
+                LOG.info("Load auth from meta version < {}, degrade 
UserPrivTable to CatalogPrivTable",
                         FeMetaVersion.VERSION_111);
             }
             DbPrivTable dbPrivTable = (DbPrivTable) PrivTable.read(in);
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Role.java 
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Role.java
index 91956c1a96..3894a32094 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Role.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Role.java
@@ -532,6 +532,41 @@ public class Role implements Writable, GsonPostProcessable 
{
         tablePrivTable.revoke(entry, false, true);
     }
 
+    /**
+     * eg:
+     * Before, tblPatternToPrivs has 1 entry: ctl.*.* -> SELECT_PRIV, 
ADMIN_PRIV, ALTER_PRIV
+     * After, tblPatternToPrivs has 2 entries:
+     * *.*.* -> ADMIN_PRIV
+     * ctl.*.* -> SELECT_PRIV, ALTER_PRIV
+     */
+    public void rectifyPrivs() {
+        PrivBitSet modifiedGlobalPrivs = new PrivBitSet();
+        for (Map.Entry<TablePattern, PrivBitSet> entry : 
tblPatternToPrivs.entrySet()) {
+            TablePattern tblPattern = entry.getKey();
+            PrivBitSet privs = entry.getValue();
+            if (privs.containsPrivs(Privilege.ADMIN_PRIV, Privilege.NODE_PRIV, 
Privilege.USAGE_PRIV)
+                    && tblPattern.getPrivLevel() != PrivLevel.GLOBAL) {
+                LOG.info("retify privs: {} -> {}", tblPattern, privs);
+                PrivBitSet copiedPrivs = privs.copy();
+                copiedPrivs.and(PrivBitSet.of(Privilege.ADMIN_PRIV, 
Privilege.NODE_PRIV, Privilege.USAGE_PRIV));
+                modifiedGlobalPrivs.or(copiedPrivs);
+                // remove these privs from non global table pattern's priv set
+                privs.unset(Privilege.USAGE_PRIV.getIdx());
+                privs.unset(Privilege.NODE_PRIV.getIdx());
+                privs.unset(Privilege.ADMIN_PRIV.getIdx());
+
+            }
+        }
+        if (!modifiedGlobalPrivs.isEmpty()) {
+            PrivBitSet privBitSet = tblPatternToPrivs.get(TablePattern.ALL);
+            if (privBitSet == null) {
+                tblPatternToPrivs.put(TablePattern.ALL, modifiedGlobalPrivs);
+            } else {
+                privBitSet.or(modifiedGlobalPrivs);
+            }
+        }
+    }
+
     @Override
     public String toString() {
         StringBuilder sb = new StringBuilder();
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/RoleManager.java 
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/RoleManager.java
index 851c19b3e0..b09ee99f4f 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/RoleManager.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/RoleManager.java
@@ -192,6 +192,12 @@ public class RoleManager implements Writable {
         return roles;
     }
 
+    public void rectifyPrivs() {
+        for (Map.Entry<String, Role> entry : roles.entrySet()) {
+            entry.getValue().rectifyPrivs();
+        }
+    }
+
     @Override
     public String toString() {
         StringBuilder sb = new StringBuilder("Roles: ");
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/persist/meta/MetaPersistMethod.java 
b/fe/fe-core/src/main/java/org/apache/doris/persist/meta/MetaPersistMethod.java
index c01b868f02..638df09e67 100644
--- 
a/fe/fe-core/src/main/java/org/apache/doris/persist/meta/MetaPersistMethod.java
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/persist/meta/MetaPersistMethod.java
@@ -129,9 +129,9 @@ public class MetaPersistMethod {
                 break;
             case "paloAuth":
                 metaPersistMethod.readMethod =
-                        Env.class.getDeclaredMethod("loadPaloAuth", 
DataInputStream.class, long.class);
+                        Env.class.getDeclaredMethod("loadAuth", 
DataInputStream.class, long.class);
                 metaPersistMethod.writeMethod =
-                        Env.class.getDeclaredMethod("savePaloAuth", 
CountingDataOutputStream.class, long.class);
+                        Env.class.getDeclaredMethod("saveAuth", 
CountingDataOutputStream.class, long.class);
                 break;
             case "transactionState":
                 metaPersistMethod.readMethod =


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org

[doris] 01/03: 1

Reply via email to