Skip to content

Commit 18adf5b

Browse files
CaideyipiCaideyipi
committed
partial
1 parent 47429d0 commit 18adf5b

File tree

5 files changed

+90
-48
lines changed

5 files changed

+90
-48
lines changed

iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/receiver/protocol/IoTDBConfigNodeReceiver.java

Lines changed: 58 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@
2020
package org.apache.iotdb.confignode.manager.pipe.receiver.protocol;
2121

2222
import org.apache.iotdb.common.rpc.thrift.TSStatus;
23+
import org.apache.iotdb.commons.audit.IAuditEntity;
2324
import org.apache.iotdb.commons.auth.entity.PrivilegeType;
2425
import org.apache.iotdb.commons.auth.entity.PrivilegeUnion;
2526
import org.apache.iotdb.commons.conf.CommonDescriptor;
@@ -46,6 +47,7 @@
4647
import org.apache.iotdb.commons.schema.ttl.TTLCache;
4748
import org.apache.iotdb.commons.utils.PathUtils;
4849
import org.apache.iotdb.commons.utils.StatusUtils;
50+
import org.apache.iotdb.confignode.audit.CNAuditLogger;
4951
import org.apache.iotdb.confignode.conf.ConfigNodeDescriptor;
5052
import org.apache.iotdb.confignode.consensus.request.ConfigPhysicalPlan;
5153
import org.apache.iotdb.confignode.consensus.request.ConfigPhysicalPlanType;
@@ -143,6 +145,8 @@
143145
import java.util.Set;
144146
import java.util.concurrent.atomic.AtomicInteger;
145147

148+
import static org.apache.iotdb.confignode.manager.pipe.source.PipeConfigTreePrivilegeParseVisitor.checkGlobalStatus;
149+
146150
public class IoTDBConfigNodeReceiver extends IoTDBFileReceiver {
147151

148152
private static final Logger LOGGER = LoggerFactory.getLogger(IoTDBConfigNodeReceiver.class);
@@ -157,6 +161,7 @@ public class IoTDBConfigNodeReceiver extends IoTDBFileReceiver {
157161
new PipeConfigPhysicalPlanExceptionVisitor();
158162

159163
private final ConfigManager configManager = ConfigNode.getInstance().getConfigManager();
164+
private final CNAuditLogger auditLogger = configManager.getAuditLogger();
160165

161166
@Override
162167
public TPipeTransferResp receive(final TPipeTransferReq req) {
@@ -290,43 +295,41 @@ private TSStatus checkPermission(final ConfigPhysicalPlan plan) throws IOExcepti
290295
return status;
291296
}
292297

298+
String database;
293299
switch (plan.getType()) {
294300
case CreateDatabase:
295-
return PathUtils.isTableModelDatabase(((DatabaseSchemaPlan) plan).getSchema().getName())
296-
? configManager
297-
.checkUserPrivileges(
298-
username,
299-
new PrivilegeUnion(
300-
((DatabaseSchemaPlan) plan).getSchema().getName(), PrivilegeType.CREATE))
301-
.getStatus()
302-
: configManager
303-
.checkUserPrivileges(username, new PrivilegeUnion(PrivilegeType.MANAGE_DATABASE))
304-
.getStatus();
301+
database = ((DatabaseSchemaPlan) plan).getSchema().getName();
302+
if (PathUtils.isTableModelDatabase(database)) {
303+
status = checkDatabaseStatus(userEntity, PrivilegeType.CREATE, database, false);
304+
if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
305+
return checkGlobalStatus(userEntity, PrivilegeType.SYSTEM, database, true);
306+
}
307+
}
308+
return checkGlobalStatus(userEntity, PrivilegeType.MANAGE_DATABASE, database, true);
305309
case AlterDatabase:
306-
return PathUtils.isTableModelDatabase(((DatabaseSchemaPlan) plan).getSchema().getName())
307-
? configManager
308-
.checkUserPrivileges(
309-
username,
310-
new PrivilegeUnion(
311-
((DatabaseSchemaPlan) plan).getSchema().getName(), PrivilegeType.ALTER))
312-
.getStatus()
313-
: configManager
314-
.checkUserPrivileges(username, new PrivilegeUnion(PrivilegeType.MANAGE_DATABASE))
315-
.getStatus();
310+
database = ((DatabaseSchemaPlan) plan).getSchema().getName();
311+
if (PathUtils.isTableModelDatabase(database)) {
312+
status = checkDatabaseStatus(userEntity, PrivilegeType.ALTER, database, false);
313+
if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
314+
return checkGlobalStatus(userEntity, PrivilegeType.SYSTEM, database, true);
315+
}
316+
}
317+
return checkGlobalStatus(userEntity, PrivilegeType.MANAGE_DATABASE, database, true);
316318
case DeleteDatabase:
317-
return PathUtils.isTableModelDatabase(((DeleteDatabasePlan) plan).getName())
318-
? configManager
319-
.checkUserPrivileges(
320-
username,
321-
new PrivilegeUnion(((DeleteDatabasePlan) plan).getName(), PrivilegeType.DROP))
322-
.getStatus()
323-
: configManager
324-
.checkUserPrivileges(username, new PrivilegeUnion(PrivilegeType.MANAGE_DATABASE))
325-
.getStatus();
319+
database = ((DeleteDatabasePlan) plan).getName();
320+
if (PathUtils.isTableModelDatabase(database)) {
321+
status = checkDatabaseStatus(userEntity, PrivilegeType.DELETE, database, false);
322+
if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
323+
return checkGlobalStatus(userEntity, PrivilegeType.SYSTEM, database, true);
324+
}
325+
}
326+
return checkGlobalStatus(userEntity, PrivilegeType.MANAGE_DATABASE, database, true);
326327
case ExtendSchemaTemplate:
327-
return configManager
328-
.checkUserPrivileges(username, new PrivilegeUnion(PrivilegeType.EXTEND_TEMPLATE))
329-
.getStatus();
328+
return checkGlobalStatus(
329+
userEntity,
330+
PrivilegeType.EXTEND_TEMPLATE,
331+
((ExtendSchemaTemplatePlan) plan).getTemplateExtendInfo().getTemplateName(),
332+
true);
330333
case CreateSchemaTemplate:
331334
case CommitSetSchemaTemplate:
332335
case PipeUnsetTemplate:
@@ -618,6 +621,29 @@ username, new PrivilegeUnion(PrivilegeType.values()[permission], true))
618621
}
619622
}
620623

624+
public static TSStatus checkDatabaseStatus(
625+
final IAuditEntity userEntity,
626+
final PrivilegeType privilegeType,
627+
final String database,
628+
final boolean isLastCheck) {
629+
final ConfigManager configManager = ConfigNode.getInstance().getConfigManager();
630+
final CNAuditLogger logger = configManager.getAuditLogger();
631+
final TSStatus result =
632+
configManager
633+
.getPermissionManager()
634+
.checkUserPrivileges(
635+
userEntity.getUsername(), new PrivilegeUnion(database, privilegeType))
636+
.getStatus();
637+
if (result.getCode() == TSStatusCode.SUCCESS_STATUS.getStatusCode() || isLastCheck) {
638+
logger.recordAuditLog(
639+
userEntity
640+
.setPrivilegeType(privilegeType)
641+
.setResult(result.getCode() == TSStatusCode.SUCCESS_STATUS.getStatusCode()),
642+
() -> database);
643+
}
644+
return result;
645+
}
646+
621647
private TSStatus executePlan(final ConfigPhysicalPlan plan) throws ConsensusException {
622648
final String queryId = generatePseudoQueryId();
623649
switch (plan.getType()) {

iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/source/PipeConfigTablePrivilegeParseVisitor.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,7 @@ public Optional<ConfigPhysicalPlan> visitDeleteDatabase(
8484
private boolean isDatabaseVisible(final IAuditEntity userEntity, final String database) {
8585
final ConfigManager configManager = ConfigNode.getInstance().getConfigManager();
8686
final CNAuditLogger logger = configManager.getAuditLogger();
87-
boolean result =
87+
final boolean result =
8888
configManager
8989
.getPermissionManager()
9090
.checkUserPrivileges(userEntity.getUsername(), new PrivilegeUnion(database, null))
@@ -176,7 +176,7 @@ private boolean isTableVisible(
176176
final IAuditEntity userEntity, final String database, final String tableName) {
177177
final ConfigManager configManager = ConfigNode.getInstance().getConfigManager();
178178
final CNAuditLogger logger = configManager.getAuditLogger();
179-
boolean result =
179+
final boolean result =
180180
configManager
181181
.getPermissionManager()
182182
.checkUserPrivileges(

iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/source/PipeConfigTreePrivilegeParseVisitor.java

Lines changed: 20 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@
1919

2020
package org.apache.iotdb.confignode.manager.pipe.source;
2121

22+
import org.apache.iotdb.common.rpc.thrift.TSStatus;
2223
import org.apache.iotdb.commons.audit.IAuditEntity;
2324
import org.apache.iotdb.commons.auth.AuthException;
2425
import org.apache.iotdb.commons.auth.entity.PrivilegeType;
@@ -409,27 +410,37 @@ private PathPatternTree getAuthorizedPTree(final IAuditEntity userEntity) throws
409410
.fetchRawAuthorizedPTree(userEntity.getUsername(), PrivilegeType.READ_SCHEMA);
410411
}
411412

412-
public static boolean hasGlobalPrivilege(
413+
public static TSStatus checkGlobalStatus(
413414
final IAuditEntity userEntity,
414415
final PrivilegeType privilegeType,
415416
final String auditObject,
416417
final boolean isLastCheck) {
417418
final ConfigManager configManager = ConfigNode.getInstance().getConfigManager();
418419
final CNAuditLogger logger = configManager.getAuditLogger();
419-
final boolean result =
420+
final TSStatus result =
420421
configManager
421-
.getPermissionManager()
422-
.checkUserPrivileges(userEntity.getUsername(), new PrivilegeUnion(privilegeType))
423-
.getStatus()
424-
.getCode()
425-
== TSStatusCode.SUCCESS_STATUS.getStatusCode();
426-
if (result || isLastCheck) {
422+
.getPermissionManager()
423+
.checkUserPrivileges(userEntity.getUsername(), new PrivilegeUnion(privilegeType))
424+
.getStatus();
425+
if (result.getCode() == TSStatusCode.SUCCESS_STATUS.getStatusCode() || isLastCheck) {
427426
logger.recordAuditLog(
428-
userEntity.setPrivilegeType(privilegeType).setResult(result), () -> auditObject);
427+
userEntity
428+
.setPrivilegeType(privilegeType)
429+
.setResult(result.getCode() == TSStatusCode.SUCCESS_STATUS.getStatusCode()),
430+
() -> auditObject);
429431
}
430432
return result;
431433
}
432434

435+
public static boolean hasGlobalPrivilege(
436+
final IAuditEntity userEntity,
437+
final PrivilegeType privilegeType,
438+
final String auditObject,
439+
final boolean isLastCheck) {
440+
return checkGlobalStatus(userEntity, privilegeType, auditObject, isLastCheck).getCode()
441+
== TSStatusCode.SUCCESS_STATUS.getStatusCode();
442+
}
443+
433444
private boolean hasReadPrivilege(
434445
final IAuditEntity userEntity,
435446
final String path,

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/receiver/protocol/thrift/IoTDBDataNodeReceiver.java

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,6 @@
2121

2222
import org.apache.iotdb.common.rpc.thrift.TSStatus;
2323
import org.apache.iotdb.commons.audit.IAuditEntity;
24-
import org.apache.iotdb.commons.audit.UserEntity;
2524
import org.apache.iotdb.commons.conf.IoTDBConstant;
2625
import org.apache.iotdb.commons.exception.IllegalPathException;
2726
import org.apache.iotdb.commons.exception.pipe.PipeRuntimeOutOfMemoryCriticalException;
@@ -1016,8 +1015,7 @@ private void autoCreateDatabaseIfNecessary(final String database) {
10161015
return;
10171016
}
10181017

1019-
AuthorityChecker.getAccessControl()
1020-
.checkCanCreateDatabase(username, database, new UserEntity(userId, username, cliHostname));
1018+
AuthorityChecker.getAccessControl().checkCanCreateDatabase(username, database, userEntity);
10211019
final TDatabaseSchema schema = new TDatabaseSchema(new TDatabaseSchema(database));
10221020
schema.setIsTableModel(true);
10231021

iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/pipe/receiver/IoTDBFileReceiver.java

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,8 @@
2020
package org.apache.iotdb.commons.pipe.receiver;
2121

2222
import org.apache.iotdb.common.rpc.thrift.TSStatus;
23+
import org.apache.iotdb.commons.audit.IAuditEntity;
24+
import org.apache.iotdb.commons.audit.UserEntity;
2325
import org.apache.iotdb.commons.conf.CommonDescriptor;
2426
import org.apache.iotdb.commons.exception.IllegalPathException;
2527
import org.apache.iotdb.commons.pipe.config.PipeConfig;
@@ -75,10 +77,9 @@ public abstract class IoTDBFileReceiver implements IoTDBReceiver {
7577
// Used to restore the original thread name when the receiver is closed.
7678
private String originalThreadName;
7779

78-
protected long userId = -1;
7980
protected String username = CONNECTOR_IOTDB_USER_DEFAULT_VALUE;
80-
protected String cliHostname = "";
8181
protected String password = CONNECTOR_IOTDB_PASSWORD_DEFAULT_VALUE;
82+
protected IAuditEntity userEntity;
8283

8384
protected long lastSuccessfulLoginTime = Long.MIN_VALUE;
8485

@@ -288,6 +289,9 @@ protected TPipeTransferResp handleTransferHandshakeV2(final PipeTransferHandshak
288289
return new TPipeTransferResp(status);
289290
}
290291

292+
long userId = -1;
293+
String cliHostname = "";
294+
291295
final String userIdString =
292296
req.getParams().get(PipeTransferHandshakeConstant.HANDSHAKE_KEY_USER_ID);
293297
if (userIdString != null) {
@@ -303,6 +307,9 @@ protected TPipeTransferResp handleTransferHandshakeV2(final PipeTransferHandshak
303307
if (cliHostnameString != null) {
304308
cliHostname = cliHostnameString;
305309
}
310+
311+
userEntity = new UserEntity(userId, username, cliHostname);
312+
306313
final String passwordString =
307314
req.getParams().get(PipeTransferHandshakeConstant.HANDSHAKE_KEY_PASSWORD);
308315
if (passwordString != null) {

0 commit comments

Comments
 (0)