Audit log patch for both tree and table models (apache#16497)

Author: CRZbulabula

integration-test/src/test/java/org/apache/iotdb/db/it/audit/IoTDBAuditLogBasicIT.java

@@ -77,6 +77,8 @@
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.function.Supplier;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 import static org.apache.iotdb.db.pipe.receiver.protocol.legacy.loader.ILoader.SCHEMA_FETCHER;
 
@@ -159,6 +161,20 @@ private static InsertRowStatement generateInsertStatement(
           AUDIT_LOG_LOG
         });
     insertStatement.setAligned(false);
+    String sqlString = auditLogFields.getSqlString();
+    if (sqlString != null) {
+      if (sqlString.toUpperCase().startsWith("CREATE USER")) {
+        sqlString = String.join(" ", Arrays.asList(sqlString.split(" ")).subList(0, 3)) + " ...";
+      }
+      Pattern pattern = Pattern.compile("(?i)(values)\\([^)]*\\)");
+      Matcher matcher = pattern.matcher(sqlString);
+      StringBuffer sb = new StringBuffer();
+      while (matcher.find()) {
+        matcher.appendReplacement(sb, matcher.group(1) + "(...)");
+      }
+      matcher.appendTail(sb);
+      sqlString = sb.toString();
+    }
     insertStatement.setValues(
         new Object[] {
           new Binary(username == null ? "null" : username, TSFileConfig.STRING_CHARSET),
@@ -178,9 +194,7 @@ private static InsertRowStatement generateInsertStatement(
           new Binary(
               auditLogFields.getDatabase() == null ? "null" : auditLogFields.getDatabase(),
               TSFileConfig.STRING_CHARSET),
-          new Binary(
-              auditLogFields.getSqlString() == null ? "null" : auditLogFields.getSqlString(),
-              TSFileConfig.STRING_CHARSET),
+          new Binary(sqlString == null ? "null" : sqlString, TSFileConfig.STRING_CHARSET),
           new Binary(log == null ? "null" : log, TSFileConfig.STRING_CHARSET)
         });
     insertStatement.setDataTypes(

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/audit/DNAuditLogger.java

@@ -45,6 +45,7 @@
 import org.apache.iotdb.db.queryengine.plan.relational.security.AccessControl;
 import org.apache.iotdb.db.queryengine.plan.relational.security.AccessControlImpl;
 import org.apache.iotdb.db.queryengine.plan.relational.security.ITableAuthCheckerImpl;
+import org.apache.iotdb.db.queryengine.plan.relational.security.TreeAccessCheckContext;
 import org.apache.iotdb.db.queryengine.plan.relational.security.TreeAccessCheckVisitor;
 import org.apache.iotdb.db.queryengine.plan.relational.sql.ast.RelationalAuthorStatement;
 import org.apache.iotdb.db.queryengine.plan.statement.Statement;
@@ -176,22 +177,21 @@ public static IAuditEntity createIAuditEntity(String userName, IClientSession cl
     }
   }
 
-  /** Check whether specific Session has the authorization to given plan. */
-  public static TSStatus checkAuthority(Statement statement, IClientSession session) {
+  public static TSStatus checkAuthority(Statement statement, IAuditEntity auditEntity) {
     long startTime = System.nanoTime();
     try {
+      if (auditEntity instanceof TreeAccessCheckContext) {
+        return accessControl.checkPermissionBeforeProcess(
+            statement, (TreeAccessCheckContext) auditEntity);
+      }
       return accessControl.checkPermissionBeforeProcess(
           statement,
-          new UserEntity(session.getUserId(), session.getUsername(), session.getClientAddress()));
-    } finally {
-      PERFORMANCE_OVERVIEW_METRICS.recordAuthCost(System.nanoTime() - startTime);
-    }
-  }
-
-  public static TSStatus checkAuthority(Statement statement, UserEntity userEntity) {
-    long startTime = System.nanoTime();
-    try {
-      return accessControl.checkPermissionBeforeProcess(statement, userEntity);
+          (TreeAccessCheckContext)
+              new TreeAccessCheckContext(
+                      auditEntity.getUserId(),
+                      auditEntity.getUsername(),
+                      auditEntity.getCliHostname())
+                  .setSqlString(auditEntity.getSqlString()));
     } finally {
       PERFORMANCE_OVERVIEW_METRICS.recordAuthCost(System.nanoTime() - startTime);
     }

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java

@@ -86,6 +86,7 @@
 import org.apache.iotdb.db.queryengine.plan.execution.config.metadata.relational.CreateDBTask;
 import org.apache.iotdb.db.queryengine.plan.planner.LocalExecutionPlanner;
 import org.apache.iotdb.db.queryengine.plan.planner.plan.node.metadata.write.view.AlterLogicalViewNode;
+import org.apache.iotdb.db.queryengine.plan.relational.security.TreeAccessCheckContext;
 import org.apache.iotdb.db.queryengine.plan.relational.sql.ast.PipeEnriched;
 import org.apache.iotdb.db.queryengine.plan.relational.sql.parser.SqlParser;
 import org.apache.iotdb.db.queryengine.plan.statement.Statement;
@@ -880,7 +881,12 @@ private TSStatus executeStatementWithPermissionCheckAndRetryOnDataTypeMismatch(
     // For table model, the authority check is done in inner execution. No need to check here
     if (!isTableModelStatement) {
       final TSStatus permissionCheckStatus =
-          AuthorityChecker.checkAuthority(statement, clientSession);
+          AuthorityChecker.checkAuthority(
+              statement,
+              new TreeAccessCheckContext(
+                  clientSession.getUserId(),
+                  clientSession.getUsername(),
+                  clientSession.getClientAddress()));
       if (permissionCheckStatus.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
         PipeLogger.log(
             LOGGER::warn,

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/receiver/protocol/thrift/IoTDBDataNodeReceiver.java

@@ -45,6 +45,7 @@
 import org.apache.iotdb.db.queryengine.plan.execution.config.metadata.relational.CreateDBTask;
 import org.apache.iotdb.db.queryengine.plan.planner.LocalExecutionPlanner;
 import org.apache.iotdb.db.queryengine.plan.planner.plan.node.write.InsertNode;
+import org.apache.iotdb.db.queryengine.plan.relational.security.TreeAccessCheckContext;
 import org.apache.iotdb.db.queryengine.plan.relational.sql.parser.SqlParser;
 import org.apache.iotdb.db.queryengine.plan.statement.Statement;
 import org.apache.iotdb.db.queryengine.plan.statement.crud.InsertBaseStatement;
@@ -481,7 +482,11 @@ private TSStatus executeStatementForTreeModel(final Statement statement, final S
     if (useEventUserName && userName != null) {
       session.setUsername(userName);
     }
-    final TSStatus permissionCheckStatus = AuthorityChecker.checkAuthority(statement, session);
+    final TSStatus permissionCheckStatus =
+        AuthorityChecker.checkAuthority(
+            statement,
+            new TreeAccessCheckContext(
+                session.getUserId(), session.getUsername(), session.getClientAddress()));
     if (permissionCheckStatus.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
       PipeLogger.log(
           LOGGER::warn,

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/sink/protocol/writeback/WriteBackSink.java

@@ -20,7 +20,6 @@
 package org.apache.iotdb.db.pipe.source.schemaregion;
 
 import org.apache.iotdb.commons.audit.IAuditEntity;
-import org.apache.iotdb.commons.audit.UserEntity;
 import org.apache.iotdb.commons.auth.entity.PrivilegeType;
 import org.apache.iotdb.commons.exception.auth.AccessDeniedException;
 import org.apache.iotdb.commons.path.MeasurementPath;
@@ -328,7 +327,9 @@ public Optional<PlanNode> visitDeleteData(
       final DeleteDataNode node, final IAuditEntity auditEntity) {
     final List<MeasurementPath> intersectedPaths =
         TreeAccessCheckVisitor.getIntersectedPaths4Pipe(
-            node.getPathList(), new TreeAccessCheckContext((UserEntity) auditEntity));
+            node.getPathList(),
+            new TreeAccessCheckContext(
+                auditEntity.getUserId(), auditEntity.getUsername(), auditEntity.getCliHostname()));
     if (!skip && !intersectedPaths.equals(node.getPathList())) {
       throw new AccessDeniedException("Not has privilege to transfer plan: " + node);
     }

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/source/schemaregion/PipePlanTreePrivilegeParseVisitor.java

@@ -38,6 +38,7 @@
 import org.apache.iotdb.db.queryengine.plan.execution.ExecutionResult;
 import org.apache.iotdb.db.queryengine.plan.planner.LocalExecutionPlanner;
 import org.apache.iotdb.db.queryengine.plan.relational.metadata.Metadata;
+import org.apache.iotdb.db.queryengine.plan.relational.security.TreeAccessCheckContext;
 import org.apache.iotdb.db.queryengine.plan.relational.sql.parser.SqlParser;
 import org.apache.iotdb.db.queryengine.plan.statement.StatementType;
 import org.apache.iotdb.db.queryengine.plan.statement.crud.InsertMultiTabletsStatement;
@@ -98,7 +99,11 @@ public DataNodeInternalClient(SessionInfo sessionInfo) {
   public TSStatus insertTablets(InsertMultiTabletsStatement statement) {
     try {
       // permission check
-      TSStatus status = AuthorityChecker.checkAuthority(statement, session);
+      TSStatus status =
+          AuthorityChecker.checkAuthority(
+              statement,
+              new TreeAccessCheckContext(
+                  session.getUserId(), session.getUsername(), session.getClientAddress()));
       if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
         return status;
       }

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/client/DataNodeInternalClient.java

@@ -37,6 +37,7 @@
 import org.apache.iotdb.db.queryengine.plan.execution.ExecutionResult;
 import org.apache.iotdb.db.queryengine.plan.planner.LocalExecutionPlanner;
 import org.apache.iotdb.db.queryengine.plan.relational.metadata.Metadata;
+import org.apache.iotdb.db.queryengine.plan.relational.security.TreeAccessCheckContext;
 import org.apache.iotdb.db.queryengine.plan.relational.sql.parser.SqlParser;
 import org.apache.iotdb.db.queryengine.plan.statement.crud.InsertRowStatement;
 import org.apache.iotdb.db.queryengine.plan.statement.crud.InsertTabletStatement;
@@ -279,7 +280,11 @@ private void insertTree(TreeMessage message, MqttClientSession session) {
       }
       statement.setAligned(false);
 
-      tsStatus = AuthorityChecker.checkAuthority(statement, session);
+      tsStatus =
+          AuthorityChecker.checkAuthority(
+              statement,
+              new TreeAccessCheckContext(
+                  session.getUserId(), session.getUsername(), session.getClientAddress()));
       if (tsStatus.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
         LOG.warn(tsStatus.message);
       } else {

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/mqtt/MPPPublishHandler.java

@@ -19,29 +19,19 @@
 
 import org.apache.iotdb.common.rpc.thrift.TSStatus;
 import org.apache.iotdb.commons.audit.UserEntity;
-import org.apache.iotdb.commons.auth.entity.User;
 import org.apache.iotdb.db.auth.AuthorityChecker;
-import org.apache.iotdb.db.auth.BasicAuthorityCache;
-import org.apache.iotdb.db.auth.ClusterAuthorityFetcher;
-import org.apache.iotdb.db.auth.IAuthorityFetcher;
 import org.apache.iotdb.db.protocol.rest.model.ExecutionStatus;
 import org.apache.iotdb.db.queryengine.plan.statement.Statement;
 import org.apache.iotdb.rpc.TSStatusCode;
 
-import org.apache.ratis.util.MemoizedSupplier;
-
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.SecurityContext;
 
 public class AuthorizationHandler {
 
-  private static final MemoizedSupplier<IAuthorityFetcher> authorityFetcher =
-      MemoizedSupplier.valueOf(() -> new ClusterAuthorityFetcher(new BasicAuthorityCache()));
-
   public Response checkAuthority(SecurityContext securityContext, Statement statement) {
     String userName = securityContext.getUserPrincipal().getName();
-    User user = authorityFetcher.get().getUser(userName);
-    long userId = user == null ? -1 : user.getUserId();
+    long userId = AuthorityChecker.getUserId(userName).orElse(-1L);
     TSStatus status =
         AuthorityChecker.checkAuthority(statement, new UserEntity(userId, userName, ""));
     if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {