reject grant/revoke author statement on audit database

Author: shuwenwei

integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java

@@ -1678,4 +1678,42 @@ public void testSecurityPrivilege() {
       fail(e.getMessage());
     }
   }
+
+  @Test
+  public void testAudit() {
+    try (Connection connection = EnvFactory.getEnv().getConnection();
+        Statement statement = connection.createStatement()) {
+      try {
+        statement.execute("grant read_data on root.__audit to user user2");
+      } catch (SQLException e) {
+        assertEquals(
+            "803: Access Denied: Cannot grant or revoke any privileges to root.__audit",
+            e.getMessage());
+      }
+      try {
+        statement.execute("revoke read_data on root.__audit from user user2");
+      } catch (SQLException e) {
+        assertEquals(
+            "803: Access Denied: Cannot grant or revoke any privileges to root.__audit",
+            e.getMessage());
+      }
+      try {
+        statement.execute("grant read_data on root.__audit to role role1");
+      } catch (SQLException e) {
+        assertEquals(
+            "803: Access Denied: Cannot grant or revoke any privileges to root.__audit",
+            e.getMessage());
+      }
+      try {
+        statement.execute("revoke read_data on root.__audit from role role1");
+      } catch (SQLException e) {
+        assertEquals(
+            "803: Access Denied: Cannot grant or revoke any privileges to root.__audit",
+            e.getMessage());
+      }
+    } catch (SQLException e) {
+      e.printStackTrace();
+      fail(e.getMessage());
+    }
+  }
 }

integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBRelationalAuthIT.java

@@ -568,4 +568,41 @@ public void testAlterNonExistingUser() throws SQLException {
       }
     }
   }
+
+  @Test
+  public void testAudit() throws SQLException {
+    try (Connection adminCon = EnvFactory.getEnv().getConnection(BaseEnv.TABLE_SQL_DIALECT);
+        Statement adminStmt = adminCon.createStatement()) {
+      try {
+        adminStmt.execute("grant select on database __audit to user user2");
+      } catch (SQLException e) {
+        assertEquals(
+            "803: Access Denied: Cannot grant or revoke any privileges to __audit", e.getMessage());
+      }
+      try {
+        adminStmt.execute("grant select on table __audit.t1 to user user2");
+      } catch (SQLException e) {
+        assertEquals(
+            "803: Access Denied: Cannot grant or revoke any privileges to __audit", e.getMessage());
+      }
+      try {
+        adminStmt.execute("revoke select on table __audit.t1 from user user2");
+      } catch (SQLException e) {
+        assertEquals(
+            "803: Access Denied: Cannot grant or revoke any privileges to __audit", e.getMessage());
+      }
+      try {
+        adminStmt.execute("grant select on table __audit.t1 to role role1");
+      } catch (SQLException e) {
+        assertEquals(
+            "803: Access Denied: Cannot grant or revoke any privileges to __audit", e.getMessage());
+      }
+      try {
+        adminStmt.execute("revoke select on table __audit.t1 from role role1");
+      } catch (SQLException e) {
+        assertEquals(
+            "803: Access Denied: Cannot grant or revoke any privileges to __audit", e.getMessage());
+      }
+    }
+  }
 }

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/ast/RelationalAuthorStatement.java

@@ -20,6 +20,7 @@
 
 import org.apache.iotdb.common.rpc.thrift.TSStatus;
 import org.apache.iotdb.commons.auth.entity.PrivilegeType;
+import org.apache.iotdb.commons.schema.table.Audit;
 import org.apache.iotdb.commons.schema.table.InformationSchema;
 import org.apache.iotdb.commons.utils.AuthUtils;
 import org.apache.iotdb.commons.utils.CommonDateTimeUtils;
@@ -423,6 +424,11 @@ public TSStatus checkStatementIsValid(String currentUser) {
           return AuthorityChecker.getTSStatus(
               false, "Cannot grant or revoke any privileges to information_schema");
         }
+        if (Audit.TABLE_MODEL_AUDIT_DATABASE.equals(database)) {
+          return AuthorityChecker.getTSStatus(
+              false,
+              "Cannot grant or revoke any privileges to " + Audit.TABLE_MODEL_AUDIT_DATABASE);
+        }
         break;
       case GRANT_USER_TB:
       case GRANT_ROLE_TB:
@@ -436,6 +442,11 @@ public TSStatus checkStatementIsValid(String currentUser) {
           return AuthorityChecker.getTSStatus(
               false, "Cannot grant or revoke any privileges to information_schema");
         }
+        if (Audit.TABLE_MODEL_AUDIT_DATABASE.equals(database)) {
+          return AuthorityChecker.getTSStatus(
+              false,
+              "Cannot grant or revoke any privileges to " + Audit.TABLE_MODEL_AUDIT_DATABASE);
+        }
         break;
       default:
         break;

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/sys/AuthorStatement.java

@@ -21,6 +21,7 @@
 
 import org.apache.iotdb.common.rpc.thrift.TSStatus;
 import org.apache.iotdb.commons.path.PartialPath;
+import org.apache.iotdb.commons.schema.table.Audit;
 import org.apache.iotdb.commons.utils.AuthUtils;
 import org.apache.iotdb.commons.utils.CommonDateTimeUtils;
 import org.apache.iotdb.db.auth.AuthorityChecker;
@@ -340,6 +341,11 @@ public TSStatus checkStatementIsValid(String currentUser) {
           return AuthorityChecker.getTSStatus(
               false, "Cannot grant/revoke privileges of admin user");
         }
+        List<PartialPath> paths = getNodeNameList();
+        if (paths.stream().anyMatch(Audit::includeByAuditTreeDB)) {
+          return AuthorityChecker.getTSStatus(
+              false, "Cannot grant or revoke any privileges to " + Audit.TREE_MODEL_AUDIT_DATABASE);
+        }
         break;
     }
     return RpcUtils.SUCCESS_STATUS;