make with-grant-option optinal (apache#15854)

Author: zhujt20

integration-test/src/main/java/org/apache/iotdb/it/env/cluster/config/MppCommonConfig.java

@@ -109,6 +109,12 @@ public CommonConfig setEncryptKeyPath(String encryptKeyPath) {
     return this;
   }
 
+  @Override
+  public CommonConfig setEnableGrantOption(boolean enableGrantOption) {
+    setProperty("enable_grant_option", String.valueOf(enableGrantOption));
+    return this;
+  }
+
   @Override
   public CommonConfig setUdfMemoryBudgetInMB(float udfCollectorMemoryBudgetInMB) {
     // udf_memory_budget_in_mb

integration-test/src/main/java/org/apache/iotdb/it/env/cluster/config/MppSharedCommonConfig.java

@@ -89,6 +89,13 @@ public CommonConfig setEncryptKeyPath(String encryptKeyPath) {
     return this;
   }
 
+  @Override
+  public CommonConfig setEnableGrantOption(boolean enableGrantOption) {
+    cnConfig.setEnableGrantOption(enableGrantOption);
+    dnConfig.setEnableGrantOption(enableGrantOption);
+    return this;
+  }
+
   @Override
   public CommonConfig setConfigRegionRatisRPCLeaderElectionTimeoutMaxMs(int maxMs) {
     cnConfig.setConfigRegionRatisRPCLeaderElectionTimeoutMaxMs(maxMs);

integration-test/src/main/java/org/apache/iotdb/it/env/remote/config/RemoteCommonConfig.java

@@ -64,6 +64,11 @@ public CommonConfig setEncryptKeyPath(String encryptKeyPath) {
     return this;
   }
 
+  @Override
+  public CommonConfig setEnableGrantOption(boolean enableGrantOption) {
+    return this;
+  }
+
   @Override
   public CommonConfig setConfigRegionRatisRPCLeaderElectionTimeoutMaxMs(int maxMs) {
     return this;

integration-test/src/main/java/org/apache/iotdb/itbase/env/CommonConfig.java

@@ -40,6 +40,8 @@ public interface CommonConfig {
 
   CommonConfig setEncryptKeyPath(String encryptKeyPath);
 
+  CommonConfig setEnableGrantOption(boolean enableGrantOption);
+
   CommonConfig setConfigRegionRatisRPCLeaderElectionTimeoutMaxMs(int maxMs);
 
   CommonConfig setUdfMemoryBudgetInMB(float udfCollectorMemoryBudgetInMB);

integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBGrantOptionIT.java

@@ -0,0 +1,81 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.iotdb.db.it.auth;
+
+import org.apache.iotdb.it.env.EnvFactory;
+import org.apache.iotdb.it.framework.IoTDBTestRunner;
+import org.apache.iotdb.itbase.category.ClusterIT;
+import org.apache.iotdb.itbase.category.LocalStandaloneIT;
+
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Ignore;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.junit.runner.RunWith;
+
+import java.sql.Connection;
+import java.sql.SQLException;
+import java.sql.Statement;
+
+@Ignore
+@RunWith(IoTDBTestRunner.class)
+@Category({LocalStandaloneIT.class, ClusterIT.class})
+public class IoTDBGrantOptionIT {
+  @Before
+  public void setUp() throws Exception {
+    EnvFactory.getEnv().getConfig().getCommonConfig().setEnableGrantOption(false);
+    EnvFactory.getEnv().initClusterEnvironment();
+  }
+
+  @After
+  public void tearDown() throws Exception {
+    EnvFactory.getEnv().cleanClusterEnvironment();
+  }
+
+  @Test
+  public void grantTest() throws SQLException {
+    try (Connection adminCon = EnvFactory.getEnv().getConnection();
+        Statement adminStmt = adminCon.createStatement()) {
+      adminStmt.execute("CREATE USER tempuser 'temppw'");
+      adminStmt.execute("CREATE USER tempuser2 'temppw2'");
+      // with grant option is disabled.
+      Assert.assertThrows(
+          SQLException.class,
+          () -> adminStmt.execute("GRANT ALL ON root.** TO USER tempuser WITH GRANT OPTION"));
+      adminStmt.execute("GRANT ALL ON root.** TO USER tempuser");
+      try (Connection userCon = EnvFactory.getEnv().getConnection("tempuser", "temppw");
+          Statement userStmt = userCon.createStatement()) {
+        userStmt.execute("CREATE DATABASE root.a");
+        userStmt.execute("CREATE TIMESERIES root.a.b WITH DATATYPE=INT32,ENCODING=PLAIN");
+        userStmt.execute("INSERT INTO root.a(timestamp, b) VALUES (100, 100)");
+        userStmt.execute("SELECT * from root.a");
+        // tempuser can not grant privileges to other users
+        Assert.assertThrows(
+            SQLException.class, () -> userStmt.execute("GRANT ALL ON root.** TO USER tempuser2"));
+        // with grant option is disabled
+        Assert.assertThrows(
+            SQLException.class,
+            () -> userStmt.execute("GRANT ALL ON root.** TO USER tempuser2 WITH GRANT OPTION"));
+      }
+    }
+  }
+}

iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/conf/SystemPropertiesUtils.java

@@ -202,6 +202,15 @@ public static void checkSystemProperties() throws IOException {
         COMMON_CONFIG.setTimePartitionInterval(timePartitionInterval);
       }
     }
+    if (systemProperties.getProperty("enable_grant_option", null) != null) {
+      boolean enableGrantOption =
+          Boolean.parseBoolean(systemProperties.getProperty("enable_grant_option"));
+      if (enableGrantOption != COMMON_CONFIG.getEnableGrantOption()) {
+        LOGGER.warn(
+            format, "enable_grant_option", COMMON_CONFIG.getEnableGrantOption(), enableGrantOption);
+        COMMON_CONFIG.setEnableGrantOption(enableGrantOption);
+      }
+    }
   }
 
   /**
@@ -273,7 +282,8 @@ public static void storeSystemParameters() throws IOException {
     systemProperties.setProperty("schema_engine_mode", COMMON_CONFIG.getSchemaEngineMode());
     systemProperties.setProperty(
         "tag_attribute_total_size", String.valueOf(COMMON_CONFIG.getTagAttributeTotalSize()));
-
+    systemProperties.setProperty(
+        "enable_grant_option", String.valueOf(COMMON_CONFIG.getEnableGrantOption()));
     systemPropertiesHandler.overwrite(systemProperties);
   }
 

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/parser/ASTVisitor.java

@@ -2477,7 +2477,13 @@ public Statement visitGrantUser(IoTDBSqlParser.GrantUserContext ctx) {
     authorStatement.setUserName(parseIdentifier(ctx.userName.getText()));
     authorStatement.setPrivilegeList(priviParsed);
     authorStatement.setNodeNameList(nodeNameList);
+    if (!CommonDescriptor.getInstance().getConfig().getEnableGrantOption()
+        && ctx.grantOpt() != null) {
+      throw new SemanticException(
+          "Grant Option is disabled, Please check the parameter enable_grant_option.");
+    }
     authorStatement.setGrantOpt(ctx.grantOpt() != null);
+
     return authorStatement;
   }
 
@@ -2498,6 +2504,11 @@ public Statement visitGrantRole(IoTDBSqlParser.GrantRoleContext ctx) {
     authorStatement.setRoleName(parseIdentifier(ctx.roleName.getText()));
     authorStatement.setPrivilegeList(priviParsed);
     authorStatement.setNodeNameList(nodeNameList);
+    if (!CommonDescriptor.getInstance().getConfig().getEnableGrantOption()
+        && ctx.grantOpt() != null) {
+      throw new SemanticException(
+          "Grant Option is disabled, Please check the parameter enable_grant_option.");
+    }
     authorStatement.setGrantOpt(ctx.grantOpt() != null);
     return authorStatement;
   }

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/sql/parser/AstBuilder.java

@@ -22,6 +22,7 @@
 import org.apache.iotdb.common.rpc.thrift.TConsensusGroupType;
 import org.apache.iotdb.commons.auth.entity.PrivilegeType;
 import org.apache.iotdb.commons.cluster.NodeStatus;
+import org.apache.iotdb.commons.conf.CommonDescriptor;
 import org.apache.iotdb.commons.path.PartialPath;
 import org.apache.iotdb.commons.schema.cache.CacheClearOptions;
 import org.apache.iotdb.commons.schema.table.InformationSchema;
@@ -1808,6 +1809,11 @@ public Node visitGrantStatement(RelationalSqlParser.GrantStatementContext ctx) {
     String name;
     toUser = ctx.holderType().getText().equalsIgnoreCase("user");
     name = (((Identifier) visit(ctx.holderName)).getValue());
+    if (!CommonDescriptor.getInstance().getConfig().getEnableGrantOption()
+        && ctx.grantOpt() != null) {
+      throw new SemanticException(
+          "Grant Option is disabled, Please check the parameter enable_grant_option.");
+    }
     boolean grantOption = ctx.grantOpt() != null;
     boolean toTable;
     Set<PrivilegeType> privileges;

iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java

@@ -69,6 +69,8 @@ public class CommonConfig {
 
   private String adminPassword = "root";
 
+  private Boolean enableGrantOption = true;
+
   private String oldUserFolder =
       IoTDBConstant.DN_DEFAULT_DATA_DIR
           + File.separator
@@ -495,6 +497,14 @@ public String getOldUserFolder() {
     return oldUserFolder;
   }
 
+  public void setEnableGrantOption(Boolean enableGrantOption) {
+    this.enableGrantOption = enableGrantOption;
+  }
+
+  public Boolean getEnableGrantOption() {
+    return enableGrantOption;
+  }
+
   public String getOldRoleFolder() {
     return oldRoleFolder;
   }

iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java

@@ -90,6 +90,10 @@ public void loadCommonProps(TrimProperties properties) throws IOException {
             "iotdb_server_encrypt_decrypt_provider_parameter",
             config.getEncryptDecryptProviderParameter()));
 
+    config.setEnableGrantOption(
+        Boolean.parseBoolean(
+            properties.getProperty("enable_grant_option", String.valueOf("true"))));
+
     String[] tierTTLStr = new String[config.getTierTTLInMs().length];
     for (int i = 0; i < tierTTLStr.length; ++i) {
       tierTTLStr[i] = String.valueOf(config.getTierTTLInMs()[i]);