Unify access control to AccessControl

Author: JackieTien97

integration-test/src/test/java/org/apache/iotdb/relational/it/schema/IoTDBDatabaseIT.java

@@ -60,12 +60,16 @@ public void setUp() throws Exception {
         .getConfig()
         .getCommonConfig()
         .setEnforceStrongPassword(false)
+        .setPipeMemoryManagementEnabled(false)
+        .setIsPipeEnableMemoryCheck(false)
         .setPipeAutoSplitFullEnabled(false);
     // enable subscription
     EnvFactory.getEnv()
         .getConfig()
         .getCommonConfig()
         .setSubscriptionEnabled(true)
+        .setPipeMemoryManagementEnabled(false)
+        .setIsPipeEnableMemoryCheck(false)
         .setPipeAutoSplitFullEnabled(false);
     EnvFactory.getEnv().initClusterEnvironment();
   }

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java

@@ -20,9 +20,11 @@
 package org.apache.iotdb.db.auth;
 
 import org.apache.iotdb.common.rpc.thrift.TSStatus;
+import org.apache.iotdb.commons.audit.IAuditEntity;
 import org.apache.iotdb.commons.audit.UserEntity;
 import org.apache.iotdb.commons.auth.AuthException;
 import org.apache.iotdb.commons.auth.entity.PrivilegeType;
+import org.apache.iotdb.commons.auth.entity.User;
 import org.apache.iotdb.commons.conf.CommonDescriptor;
 import org.apache.iotdb.commons.conf.IoTDBConstant;
 import org.apache.iotdb.commons.path.PartialPath;
@@ -62,6 +64,7 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.Set;
 import java.util.StringJoiner;
 import java.util.stream.Collectors;
@@ -127,6 +130,11 @@ public static boolean invalidateCache(String username, String roleName) {
     return authorityFetcher.get().getAuthorCache().invalidateCache(username, roleName);
   }
 
+  public static Optional<Long> getUserId(String username) {
+    User user = authorityFetcher.get().getUser(username);
+    return Optional.ofNullable(user == null ? null : user.getUserId());
+  }
+
   public static TSStatus checkUser(String userName, String password) {
     return authorityFetcher.get().checkUser(userName, password);
   }
@@ -150,6 +158,17 @@ public static SettableFuture<ConfigTaskResult> operatePermission(
     return authorityFetcher.get().operatePermission(authorStatement);
   }
 
+  public static IAuditEntity createIAuditEntity(String userName, IClientSession clientSession) {
+    if (clientSession != null && clientSession.getUsername() != null) {
+      return new UserEntity(
+          clientSession.getUserId(), clientSession.getUsername(), clientSession.getClientAddress());
+    } else if (userName != null) {
+      return new UserEntity(AuthorityChecker.getUserId(userName).orElse(-1L), userName, "");
+    } else {
+      return new UserEntity(-1, "unknown", "");
+    }
+  }
+
   /** Check whether specific Session has the authorization to given plan. */
   public static TSStatus checkAuthority(Statement statement, IClientSession session) {
     long startTime = System.nanoTime();

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/event/common/deletion/PipeDeleteDataNodeEvent.java

@@ -27,8 +27,8 @@
 import org.apache.iotdb.commons.pipe.datastructure.pattern.TreePattern;
 import org.apache.iotdb.commons.pipe.event.EnrichedEvent;
 import org.apache.iotdb.commons.pipe.event.SerializableEvent;
+import org.apache.iotdb.db.auth.AuthorityChecker;
 import org.apache.iotdb.db.pipe.consensus.deletion.DeletionResource;
-import org.apache.iotdb.db.queryengine.plan.Coordinator;
 import org.apache.iotdb.db.queryengine.plan.planner.plan.node.PlanNodeType;
 import org.apache.iotdb.db.queryengine.plan.planner.plan.node.write.AbstractDeleteDataNode;
 import org.apache.iotdb.db.queryengine.plan.planner.plan.node.write.DeleteDataNode;
@@ -160,8 +160,7 @@ public void throwIfNoPrivilege() {
     }
     for (final TableDeletionEntry entry :
         ((RelationalDeleteDataNode) deleteDataNode).getModEntries()) {
-      Coordinator.getInstance()
-          .getAccessControl()
+      AuthorityChecker.getAccessControl()
           .checkCanSelectFromTable(
               userName,
               new QualifiedObjectName(

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/event/common/tablet/PipeInsertNodeTabletInsertionEvent.java

@@ -28,6 +28,7 @@
 import org.apache.iotdb.commons.pipe.datastructure.pattern.TablePattern;
 import org.apache.iotdb.commons.pipe.datastructure.pattern.TreePattern;
 import org.apache.iotdb.commons.pipe.resource.ref.PipePhantomReferenceManager.PipeEventResource;
+import org.apache.iotdb.db.auth.AuthorityChecker;
 import org.apache.iotdb.db.pipe.agent.PipeDataNodeAgent;
 import org.apache.iotdb.db.pipe.event.ReferenceTrackableEvent;
 import org.apache.iotdb.db.pipe.event.common.PipeInsertionEvent;
@@ -39,7 +40,6 @@
 import org.apache.iotdb.db.pipe.resource.memory.InsertNodeMemoryEstimator;
 import org.apache.iotdb.db.pipe.resource.memory.PipeMemoryWeightUtil;
 import org.apache.iotdb.db.pipe.resource.memory.PipeTabletMemoryBlock;
-import org.apache.iotdb.db.queryengine.plan.Coordinator;
 import org.apache.iotdb.db.queryengine.plan.planner.plan.node.write.InsertNode;
 import org.apache.iotdb.db.queryengine.plan.planner.plan.node.write.InsertRowNode;
 import org.apache.iotdb.db.queryengine.plan.planner.plan.node.write.InsertRowsNode;
@@ -290,8 +290,7 @@ public void throwIfNoPrivilege() {
   }
 
   private void checkTableName(final String tableName) {
-    if (!Coordinator.getInstance()
-        .getAccessControl()
+    if (!AuthorityChecker.getAccessControl()
         .checkCanSelectFromTable4Pipe(
             userName,
             new QualifiedObjectName(getTableModelDatabaseName(), tableName),

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/event/common/tsfile/PipeTsFileInsertionEvent.java

@@ -41,7 +41,6 @@
 import org.apache.iotdb.db.pipe.resource.memory.PipeMemoryManager;
 import org.apache.iotdb.db.pipe.resource.tsfile.PipeTsFileResourceManager;
 import org.apache.iotdb.db.pipe.source.dataregion.realtime.assigner.PipeTsFileEpochProgressIndexKeeper;
-import org.apache.iotdb.db.queryengine.plan.Coordinator;
 import org.apache.iotdb.db.queryengine.plan.relational.metadata.QualifiedObjectName;
 import org.apache.iotdb.db.storageengine.dataregion.memtable.TsFileProcessor;
 import org.apache.iotdb.db.storageengine.dataregion.tsfile.TsFileResource;
@@ -454,8 +453,7 @@ public void throwIfNoPrivilege() {
             || !tablePattern.matchesTable(table)) {
           continue;
         }
-        if (!Coordinator.getInstance()
-            .getAccessControl()
+        if (!AuthorityChecker.getAccessControl()
             .checkCanSelectFromTable4Pipe(
                 userName,
                 new QualifiedObjectName(getTableModelDatabaseName(), table),

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/event/common/tsfile/parser/table/TsFileInsertionEventTableParser.java

@@ -23,13 +23,13 @@
 import org.apache.iotdb.commons.pipe.agent.task.meta.PipeTaskMeta;
 import org.apache.iotdb.commons.pipe.config.PipeConfig;
 import org.apache.iotdb.commons.pipe.datastructure.pattern.TablePattern;
+import org.apache.iotdb.db.auth.AuthorityChecker;
 import org.apache.iotdb.db.conf.IoTDBDescriptor;
 import org.apache.iotdb.db.pipe.event.common.PipeInsertionEvent;
 import org.apache.iotdb.db.pipe.event.common.tablet.PipeRawTabletInsertionEvent;
 import org.apache.iotdb.db.pipe.event.common.tsfile.parser.TsFileInsertionEventParser;
 import org.apache.iotdb.db.pipe.resource.PipeDataNodeResourceManager;
 import org.apache.iotdb.db.pipe.resource.memory.PipeMemoryBlock;
-import org.apache.iotdb.db.queryengine.plan.Coordinator;
 import org.apache.iotdb.db.queryengine.plan.relational.metadata.QualifiedObjectName;
 import org.apache.iotdb.pipe.api.event.dml.insertion.TabletInsertionEvent;
 import org.apache.iotdb.pipe.api.exception.PipeException;
@@ -154,8 +154,7 @@ private boolean hasTablePrivilege(final String tableName) {
                   return Objects.isNull(userName)
                       || Objects.isNull(sourceEvent)
                       || Objects.isNull(sourceEvent.getTableModelDatabaseName())
-                      || Coordinator.getInstance()
-                          .getAccessControl()
+                      || AuthorityChecker.getAccessControl()
                           .checkCanSelectFromTable4Pipe(
                               userName,
                               new QualifiedObjectName(

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/receiver/protocol/thrift/IoTDBDataNodeReceiver.java

@@ -20,6 +20,7 @@
 package org.apache.iotdb.db.pipe.receiver.protocol.thrift;
 
 import org.apache.iotdb.common.rpc.thrift.TSStatus;
+import org.apache.iotdb.commons.audit.IAuditEntity;
 import org.apache.iotdb.commons.audit.UserEntity;
 import org.apache.iotdb.commons.conf.IoTDBConstant;
 import org.apache.iotdb.commons.exception.IllegalPathException;
@@ -660,8 +661,11 @@ private TPipeTransferResp handleTransferSchemaPlan(final PipeTransferPlanNodeReq
     // We may be able to skip the alter logical view's exception parsing because
     // the "AlterLogicalViewNode" is itself idempotent
     if (req.getPlanNode() instanceof AlterLogicalViewNode) {
-      final TSStatus status =
-          ((AlterLogicalViewNode) req.getPlanNode()).checkPermissionBeforeProcess(username);
+      AlterLogicalViewNode node = (AlterLogicalViewNode) req.getPlanNode();
+      IAuditEntity entity = AuthorityChecker.createIAuditEntity(username, null);
+      TSStatus status =
+          AuthorityChecker.getAccessControl()
+              .checkCanAlterView(entity, node.getSourcePaths(), node.getTargetPaths());
       if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
         PipeLogger.log(
             LOGGER::warn,
@@ -992,8 +996,7 @@ private void autoCreateDatabaseIfNecessary(final String database) {
       return;
     }
 
-    Coordinator.getInstance()
-        .getAccessControl()
+    AuthorityChecker.getAccessControl()
         .checkCanCreateDatabase(username, database, new UserEntity(userId, username, cliHostname));
     final TDatabaseSchema schema = new TDatabaseSchema(new TDatabaseSchema(database));
     schema.setIsTableModel(true);

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/sink/protocol/writeback/WriteBackSink.java

@@ -450,8 +450,7 @@ private void autoCreateDatabaseIfNecessary(final String database) {
     }
 
     try {
-      Coordinator.getInstance()
-          .getAccessControl()
+      AuthorityChecker.getAccessControl()
           .checkCanCreateDatabase(userEntity.getUsername(), database, userEntity);
     } catch (final AccessDeniedException e) {
       // Auto create failed, we still check if there are existing databases

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/source/dataregion/realtime/matcher/CachedSchemaPatternMatcher.java

@@ -23,15 +23,14 @@
 import org.apache.iotdb.commons.pipe.config.PipeConfig;
 import org.apache.iotdb.commons.pipe.datastructure.pattern.TablePattern;
 import org.apache.iotdb.commons.pipe.datastructure.pattern.TreePattern;
+import org.apache.iotdb.db.auth.AuthorityChecker;
 import org.apache.iotdb.db.pipe.event.common.PipeInsertionEvent;
 import org.apache.iotdb.db.pipe.event.common.deletion.PipeDeleteDataNodeEvent;
 import org.apache.iotdb.db.pipe.event.common.heartbeat.PipeHeartbeatEvent;
 import org.apache.iotdb.db.pipe.event.common.tsfile.PipeTsFileInsertionEvent;
 import org.apache.iotdb.db.pipe.event.realtime.PipeRealtimeEvent;
 import org.apache.iotdb.db.pipe.source.dataregion.realtime.PipeRealtimeDataRegionSource;
-import org.apache.iotdb.db.queryengine.plan.Coordinator;
 import org.apache.iotdb.db.queryengine.plan.relational.metadata.QualifiedObjectName;
-import org.apache.iotdb.db.queryengine.plan.relational.security.AccessControl;
 
 import com.github.benmanes.caffeine.cache.Cache;
 import com.github.benmanes.caffeine.cache.Caffeine;
@@ -59,7 +58,6 @@ public class CachedSchemaPatternMatcher implements PipeDataRegionMatcher {
   protected static final String TREE_MODEL_EVENT_TABLE_NAME_PREFIX = PATH_ROOT + PATH_SEPARATOR;
 
   protected final ReentrantReadWriteLock lock;
-  private final AccessControl accessControl = Coordinator.getInstance().getAccessControl();
   protected final Set<PipeRealtimeDataRegionSource> sources;
 
   protected final Cache<IDeviceID, Set<PipeRealtimeDataRegionSource>> deviceToSourcesCache;
@@ -332,11 +330,13 @@ private boolean matchesTablePattern(
 
   private boolean notFilteredByAccess(
       final UserEntity userEntity, final Pair<String, IDeviceID> databaseNameAndTableName) {
-    return accessControl.checkCanSelectFromTable4Pipe(
-        userEntity.getUsername(),
-        new QualifiedObjectName(
-            databaseNameAndTableName.getLeft(), databaseNameAndTableName.getRight().getTableName()),
-        userEntity);
+    return AuthorityChecker.getAccessControl()
+        .checkCanSelectFromTable4Pipe(
+            userEntity.getUsername(),
+            new QualifiedObjectName(
+                databaseNameAndTableName.getLeft(),
+                databaseNameAndTableName.getRight().getTableName()),
+            userEntity);
   }
 
   @Override

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/source/schemaregion/IoTDBSchemaRegionSource.java

@@ -31,14 +31,14 @@
 import org.apache.iotdb.commons.utils.PathUtils;
 import org.apache.iotdb.consensus.ConsensusFactory;
 import org.apache.iotdb.consensus.exception.ConsensusException;
+import org.apache.iotdb.db.auth.AuthorityChecker;
 import org.apache.iotdb.db.conf.IoTDBDescriptor;
 import org.apache.iotdb.db.consensus.SchemaRegionConsensusImpl;
 import org.apache.iotdb.db.pipe.agent.PipeDataNodeAgent;
 import org.apache.iotdb.db.pipe.event.common.schema.PipeSchemaRegionSnapshotEvent;
 import org.apache.iotdb.db.pipe.event.common.schema.PipeSchemaRegionWritePlanEvent;
 import org.apache.iotdb.db.pipe.metric.overview.PipeDataNodeSinglePipeMetrics;
 import org.apache.iotdb.db.pipe.metric.schema.PipeSchemaRegionSourceMetrics;
-import org.apache.iotdb.db.queryengine.plan.Coordinator;
 import org.apache.iotdb.db.queryengine.plan.planner.plan.node.PlanNode;
 import org.apache.iotdb.db.queryengine.plan.planner.plan.node.PlanNodeId;
 import org.apache.iotdb.db.queryengine.plan.planner.plan.node.PlanNodeType;
@@ -157,8 +157,7 @@ protected long getMaxBlockingTimeMs() {
   protected boolean canSkipSnapshotPrivilegeCheck(final PipeSnapshotEvent event) {
     try {
       if (PathUtils.isTableModelDatabase(database)) {
-        Coordinator.getInstance()
-            .getAccessControl()
+        AuthorityChecker.getAccessControl()
             .checkCanSelectFromDatabase4Pipe(userName, database, userEntity);
       }
       return true;