branch-4.0: [fix](block-rule) Skip SQL block rules check for EXPLAIN statements #59445 (#59509)

Cherry-picked from #59445

Co-authored-by: Chenjunwei <[email protected]>

Author: github-actions[bot]

fe/fe-core/src/main/java/org/apache/doris/nereids/trees/plans/commands/ExplainCommand.java

@@ -104,7 +104,8 @@ public void run(ConnectContext ctx, StmtExecutor executor) throws Exception {
         }
         planner.plan(logicalPlanAdapter, ctx.getSessionVariable().toThrift());
         executor.setPlanner(planner);
-        executor.checkBlockRules();
+        // Skip SQL block rules check for EXPLAIN statements since they only show
+        // the execution plan without actually executing the query
         if (showPlanProcess) {
             executor.handleExplainPlanProcessStmt(planner.getCascadesContext().getPlanProcesses());
         } else {

regression-test/suites/external_table_p0/hive/test_external_sql_block_rule.groovy

@@ -24,81 +24,111 @@ suite("test_external_sql_block_rule", "external_docker,hive,external_docker_hive
 
     String externalEnvIp = context.config.otherConfigs.get("externalEnvIp")
     String hms_port = context.config.otherConfigs.get("hive2HmsPort")
+    String catalog_name = "test_hive2_external_sql_block_rule"
 
-    sql """drop catalog if exists test_hive2_external_sql_block_rule """
+    sql """drop catalog if exists ${catalog_name}"""
 
-    sql """CREATE CATALOG test_hive2_external_sql_block_rule PROPERTIES (
+    sql """CREATE CATALOG ${catalog_name} PROPERTIES (
             'type'='hms',
             'hive.metastore.uris' = 'thrift://${externalEnvIp}:${hms_port}',
             'hadoop.username' = 'hive'
         );"""
 
-    sql "use test_hive2_external_sql_block_rule.`default`";
+    sql "use ${catalog_name}.`default`";
     qt_sql01 """select * from parquet_partition_table order by l_linenumber,l_orderkey limit 10;"""
 
-    sql """drop sql_block_rule if exists external_hive_partition"""
-    sql """create sql_block_rule external_hive_partition properties("partition_num" = "3", "global" = "false");"""
-    sql """drop sql_block_rule if exists external_hive_partition2"""
-    sql """create sql_block_rule external_hive_partition2 properties("tablet_num" = "3", "global" = "false");"""
-    sql """drop sql_block_rule if exists external_hive_partition3"""
-    sql """create sql_block_rule external_hive_partition3 properties("cardinality" = "3", "global" = "false");"""
-    // create 3 users
-    sql """drop user if exists external_block_user1"""
-    sql """create user external_block_user1;"""
-    sql """SET PROPERTY FOR 'external_block_user1' 'sql_block_rules' = 'external_hive_partition';"""
-    sql """grant all on *.*.* to external_block_user1;"""
-    //cloud-mode
-    if (isCloudMode()) {
-        def clusters = sql " SHOW CLUSTERS; "
-        assertTrue(!clusters.isEmpty())
-        def validCluster = clusters[0][0]
-        sql """GRANT USAGE_PRIV ON CLUSTER `${validCluster}` TO external_block_user1;""";
-    }
+    // Clean up existing rules and users
+    sql """drop sql_block_rule if exists hive_partition_rule"""
+    sql """drop sql_block_rule if exists hive_split_rule"""
+    sql """drop sql_block_rule if exists hive_cardinality_rule"""
+    sql """drop sql_block_rule if exists hive_regex_rule"""
+    sql """drop user if exists hive_block_user1"""
+    sql """drop user if exists hive_block_user2"""
+    sql """drop user if exists hive_block_user3"""
+    sql """drop user if exists hive_block_user4"""
+
+    // Create non-global rules (won't affect other parallel tests)
+    sql """create sql_block_rule hive_partition_rule properties("partition_num" = "3", "global" = "false");"""
+    sql """create sql_block_rule hive_split_rule properties("tablet_num" = "3", "global" = "false");"""
+    sql """create sql_block_rule hive_cardinality_rule properties("cardinality" = "3", "global" = "false");"""
+    sql """create sql_block_rule hive_regex_rule properties("sql" = "SELECT \\\\*", "global" = "false");"""
+
+    // Create test users and bind rules
+    sql """create user hive_block_user1;"""
+    sql """SET PROPERTY FOR 'hive_block_user1' 'sql_block_rules' = 'hive_partition_rule';"""
+    sql """grant all on *.*.* to hive_block_user1;"""
+
+    sql """create user hive_block_user2;"""
+    sql """SET PROPERTY FOR 'hive_block_user2' 'sql_block_rules' = 'hive_split_rule';"""
+    sql """grant all on *.*.* to hive_block_user2;"""
+
+    sql """create user hive_block_user3;"""
+    sql """SET PROPERTY FOR 'hive_block_user3' 'sql_block_rules' = 'hive_cardinality_rule';"""
+    sql """grant all on *.*.* to hive_block_user3;"""
+
+    sql """create user hive_block_user4;"""
+    sql """SET PROPERTY FOR 'hive_block_user4' 'sql_block_rules' = 'hive_regex_rule';"""
+    sql """grant all on *.*.* to hive_block_user4;"""
 
-    sql """drop user if exists external_block_user2"""
-    sql """create user external_block_user2;"""
-    sql """SET PROPERTY FOR 'external_block_user2' 'sql_block_rules' = 'external_hive_partition2';"""
-    sql """grant all on *.*.* to external_block_user2;"""
-    //cloud-mode
+    // cloud-mode: grant cluster privileges
     if (isCloudMode()) {
         def clusters = sql " SHOW CLUSTERS; "
         assertTrue(!clusters.isEmpty())
         def validCluster = clusters[0][0]
-        sql """GRANT USAGE_PRIV ON CLUSTER `${validCluster}` TO external_block_user2;""";
+        sql """GRANT USAGE_PRIV ON CLUSTER `${validCluster}` TO hive_block_user1;"""
+        sql """GRANT USAGE_PRIV ON CLUSTER `${validCluster}` TO hive_block_user2;"""
+        sql """GRANT USAGE_PRIV ON CLUSTER `${validCluster}` TO hive_block_user3;"""
+        sql """GRANT USAGE_PRIV ON CLUSTER `${validCluster}` TO hive_block_user4;"""
     }
 
-    sql """drop user if exists external_block_user3"""
-    sql """create user external_block_user3;"""
-    sql """SET PROPERTY FOR 'external_block_user3' 'sql_block_rules' = 'external_hive_partition3';"""
-    sql """grant all on *.*.* to external_block_user3;"""
-    //cloud-mode
-    if (isCloudMode()) {
-        def clusters = sql " SHOW CLUSTERS; "
-        assertTrue(!clusters.isEmpty())
-        def validCluster = clusters[0][0]
-        sql """GRANT USAGE_PRIV ON CLUSTER `${validCluster}` TO external_block_user3;""";
+    // Test 1: partition_num rule
+    connect('hive_block_user1', '', context.config.jdbcUrl) {
+        test {
+            sql """select * from ${catalog_name}.`default`.parquet_partition_table order by l_linenumber limit 10;"""
+            exception """sql hits sql block rule: hive_partition_rule, reach partition_num : 3"""
+        }
+        // Test EXPLAIN should not be blocked
+        sql """explain select * from ${catalog_name}.`default`.parquet_partition_table order by l_linenumber limit 10;"""
     }
 
-    // login as external_block_user1 
-    def result1 = connect('external_block_user1', '', context.config.jdbcUrl) {
+    // Test 2: tablet_num (split) rule
+    connect('hive_block_user2', '', context.config.jdbcUrl) {
         test {
-            sql """select * from test_hive2_external_sql_block_rule.`default`.parquet_partition_table order by l_linenumber limit 10;"""
-            exception """sql hits sql block rule: external_hive_partition, reach partition_num : 3"""
+            sql """select * from ${catalog_name}.`default`.parquet_partition_table order by l_linenumber limit 10;"""
+            exception """sql hits sql block rule: hive_split_rule, reach tablet_num : 3"""
         }
+        // Test EXPLAIN should not be blocked
+        sql """explain select * from ${catalog_name}.`default`.parquet_partition_table order by l_linenumber limit 10;"""
     }
-    // login as external_block_user2
-    def result2 = connect('external_block_user2', '', context.config.jdbcUrl) {
+
+    // Test 3: cardinality rule
+    connect('hive_block_user3', '', context.config.jdbcUrl) {
         test {
-            sql """select * from test_hive2_external_sql_block_rule.`default`.parquet_partition_table order by l_linenumber limit 10;"""
-            exception """sql hits sql block rule: external_hive_partition2, reach tablet_num : 3"""
+            sql """select * from ${catalog_name}.`default`.parquet_partition_table order by l_linenumber limit 10;"""
+            exception """sql hits sql block rule: hive_cardinality_rule, reach cardinality : 3"""
         }
+        // Test EXPLAIN should not be blocked
+        sql """explain select * from ${catalog_name}.`default`.parquet_partition_table order by l_linenumber limit 10;"""
     }
-    // login as external_block_user3
-    def result3 = connect('external_block_user3', '', context.config.jdbcUrl) {
+
+    // Test 4: regex rule
+    connect('hive_block_user4', '', context.config.jdbcUrl) {
         test {
-            sql """select * from test_hive2_external_sql_block_rule.`default`.parquet_partition_table order by l_linenumber limit 10;"""
-            exception """sql hits sql block rule: external_hive_partition3, reach cardinality : 3"""
+            sql """SELECT * FROM ${catalog_name}.`default`.parquet_partition_table limit 10;"""
+            exception """sql match regex sql block rule: hive_regex_rule"""
         }
+        // Test EXPLAIN should not be blocked by regex rule
+        sql """EXPLAIN SELECT * FROM ${catalog_name}.`default`.parquet_partition_table limit 10;"""
     }
-}
 
+    // Cleanup
+    sql """drop user if exists hive_block_user1"""
+    sql """drop user if exists hive_block_user2"""
+    sql """drop user if exists hive_block_user3"""
+    sql """drop user if exists hive_block_user4"""
+    sql """drop sql_block_rule if exists hive_partition_rule"""
+    sql """drop sql_block_rule if exists hive_split_rule"""
+    sql """drop sql_block_rule if exists hive_cardinality_rule"""
+    sql """drop sql_block_rule if exists hive_regex_rule"""
+    sql """drop catalog if exists ${catalog_name}"""
+}

regression-test/suites/external_table_p0/iceberg/test_iceberg_sql_block_rule.groovy

@@ -0,0 +1,156 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+suite("test_iceberg_sql_block_rule", "p0,external,doris,external_docker,external_docker_doris") {
+    String enabled = context.config.otherConfigs.get("enableIcebergTest")
+    if (enabled == null || !enabled.equalsIgnoreCase("true")) {
+        logger.info("disable iceberg test.")
+        return
+    }
+
+    String rest_port = context.config.otherConfigs.get("iceberg_rest_uri_port")
+    String minio_port = context.config.otherConfigs.get("iceberg_minio_port")
+    String externalEnvIp = context.config.otherConfigs.get("externalEnvIp")
+    String catalog_name = "test_iceberg_sql_block_rule_ctl"
+    String db_name = "iceberg_sql_block_rule_db"
+    String table_name = "iceberg_sql_block_rule_tbl"
+
+    sql """drop catalog if exists ${catalog_name}"""
+    sql """
+    CREATE CATALOG ${catalog_name} PROPERTIES (
+        'type'='iceberg',
+        'iceberg.catalog.type'='rest',
+        'uri' = 'http://${externalEnvIp}:${rest_port}',
+        "s3.access_key" = "admin",
+        "s3.secret_key" = "password",
+        "s3.endpoint" = "http://${externalEnvIp}:${minio_port}",
+        "s3.region" = "us-east-1"
+    );"""
+
+    sql """switch ${catalog_name}"""
+    sql """create database if not exists ${db_name}"""
+    sql """use ${db_name}"""
+    sql """drop table if exists ${table_name}"""
+    sql """
+        create table ${table_name} (
+            id int,
+            partition_key int,
+            val string
+        ) PARTITION BY LIST (partition_key) ()
+    """
+    sql """insert into ${table_name} values (1, 1, 'a')"""
+    sql """insert into ${table_name} values (2, 2, 'b')"""
+    sql """insert into ${table_name} values (3, 3, 'c')"""
+    sql """insert into ${table_name} values (4, 4, 'd')"""
+
+    // Clean up existing rules and users
+    sql """drop sql_block_rule if exists iceberg_partition_rule"""
+    sql """drop sql_block_rule if exists iceberg_split_rule"""
+    sql """drop sql_block_rule if exists iceberg_cardinality_rule"""
+    sql """drop sql_block_rule if exists iceberg_regex_rule"""
+    sql """drop user if exists iceberg_block_user1"""
+    sql """drop user if exists iceberg_block_user2"""
+    sql """drop user if exists iceberg_block_user3"""
+    sql """drop user if exists iceberg_block_user4"""
+
+    // Create non-global rules (won't affect other parallel tests)
+    sql """create sql_block_rule iceberg_partition_rule properties("partition_num" = "1", "global" = "false");"""
+    sql """create sql_block_rule iceberg_split_rule properties("tablet_num" = "1", "global" = "false");"""
+    sql """create sql_block_rule iceberg_cardinality_rule properties("cardinality" = "1", "global" = "false");"""
+    sql """create sql_block_rule iceberg_regex_rule properties("sql" = "SELECT \\\\*", "global" = "false");"""
+
+    // Create test users and bind rules
+    sql """create user iceberg_block_user1;"""
+    sql """SET PROPERTY FOR 'iceberg_block_user1' 'sql_block_rules' = 'iceberg_partition_rule';"""
+    sql """grant all on *.*.* to iceberg_block_user1;"""
+
+    sql """create user iceberg_block_user2;"""
+    sql """SET PROPERTY FOR 'iceberg_block_user2' 'sql_block_rules' = 'iceberg_split_rule';"""
+    sql """grant all on *.*.* to iceberg_block_user2;"""
+
+    sql """create user iceberg_block_user3;"""
+    sql """SET PROPERTY FOR 'iceberg_block_user3' 'sql_block_rules' = 'iceberg_cardinality_rule';"""
+    sql """grant all on *.*.* to iceberg_block_user3;"""
+
+    sql """create user iceberg_block_user4;"""
+    sql """SET PROPERTY FOR 'iceberg_block_user4' 'sql_block_rules' = 'iceberg_regex_rule';"""
+    sql """grant all on *.*.* to iceberg_block_user4;"""
+
+    // cloud-mode: grant cluster privileges
+    if (isCloudMode()) {
+        def clusters = sql " SHOW CLUSTERS; "
+        assertTrue(!clusters.isEmpty())
+        def validCluster = clusters[0][0]
+        sql """GRANT USAGE_PRIV ON CLUSTER `${validCluster}` TO iceberg_block_user1;"""
+        sql """GRANT USAGE_PRIV ON CLUSTER `${validCluster}` TO iceberg_block_user2;"""
+        sql """GRANT USAGE_PRIV ON CLUSTER `${validCluster}` TO iceberg_block_user3;"""
+        sql """GRANT USAGE_PRIV ON CLUSTER `${validCluster}` TO iceberg_block_user4;"""
+    }
+
+    // Test 1: partition_num rule
+    connect('iceberg_block_user1', '', context.config.jdbcUrl) {
+        test {
+            sql """select * from ${catalog_name}.${db_name}.${table_name}"""
+            exception """sql hits sql block rule: iceberg_partition_rule, reach partition_num : 1"""
+        }
+        // Test EXPLAIN should not be blocked
+        sql """explain select * from ${catalog_name}.${db_name}.${table_name}"""
+    }
+
+    // Test 2: tablet_num (split) rule
+    connect('iceberg_block_user2', '', context.config.jdbcUrl) {
+        test {
+            sql """select * from ${catalog_name}.${db_name}.${table_name}"""
+            exception """sql hits sql block rule: iceberg_split_rule, reach tablet_num : 1"""
+        }
+        // Test EXPLAIN should not be blocked
+        sql """explain select * from ${catalog_name}.${db_name}.${table_name}"""
+    }
+
+    // Test 3: cardinality rule
+    connect('iceberg_block_user3', '', context.config.jdbcUrl) {
+        test {
+            sql """select * from ${catalog_name}.${db_name}.${table_name}"""
+            exception """sql hits sql block rule: iceberg_cardinality_rule, reach cardinality : 1"""
+        }
+        // Test EXPLAIN should not be blocked
+        sql """explain select * from ${catalog_name}.${db_name}.${table_name}"""
+    }
+
+    // Test 4: regex rule
+    connect('iceberg_block_user4', '', context.config.jdbcUrl) {
+        test {
+            sql """SELECT * FROM ${catalog_name}.${db_name}.${table_name}"""
+            exception """sql match regex sql block rule: iceberg_regex_rule"""
+        }
+        // Test EXPLAIN should not be blocked by regex rule
+        sql """EXPLAIN SELECT * FROM ${catalog_name}.${db_name}.${table_name}"""
+    }
+
+    // Cleanup
+    sql """drop user if exists iceberg_block_user1"""
+    sql """drop user if exists iceberg_block_user2"""
+    sql """drop user if exists iceberg_block_user3"""
+    sql """drop user if exists iceberg_block_user4"""
+    sql """drop sql_block_rule if exists iceberg_partition_rule"""
+    sql """drop sql_block_rule if exists iceberg_split_rule"""
+    sql """drop sql_block_rule if exists iceberg_cardinality_rule"""
+    sql """drop sql_block_rule if exists iceberg_regex_rule"""
+    sql """drop table if exists ${table_name}"""
+    sql """drop database if exists ${db_name}"""
+    sql """drop catalog if exists ${catalog_name}"""
+}