Pipe: Fixed the bug that auth plan with system privileges can not be transferred (#14489)

Caideyipi · web-flow · commit 2a26c6eb52b6 · 2024-12-18T19:26:50.000+08:00
diff --git a/integration-test/src/test/java/org/apache/iotdb/pipe/it/manual/IoTDBPipeInclusionIT.java b/integration-test/src/test/java/org/apache/iotdb/pipe/it/manual/IoTDBPipeInclusionIT.java
@@ -180,6 +180,7 @@ public void testAuthInclusionWithPattern() throws Exception {
           senderEnv,
           Arrays.asList(
               "create user `ln_write_user` 'write_pwd'",
+              "grant manage_database,manage_user,manage_role,use_trigger,use_udf,use_cq,use_pipe on root.** to USER ln_write_user with grant option",
               "GRANT READ_DATA, WRITE_DATA ON root.** TO USER ln_write_user;"))) {
         return;
       }
@@ -189,7 +190,16 @@ public void testAuthInclusionWithPattern() throws Exception {
           "LIST PRIVILEGES OF USER ln_write_user",
           "ROLE,PATH,PRIVILEGES,GRANT OPTION,",
           new HashSet<>(
-              Arrays.asList(",root.ln.**,READ_DATA,false,", ",root.ln.**,WRITE_DATA,false,")));
+              Arrays.asList(
+                  ",root.**,MANAGE_USER,true,",
+                  ",root.**,MANAGE_ROLE,true,",
+                  ",root.**,USE_TRIGGER,true,",
+                  ",root.**,USE_UDF,true,",
+                  ",root.**,USE_CQ,true,",
+                  ",root.**,USE_PIPE,true,",
+                  ",root.**,MANAGE_DATABASE,true,",
+                  ",root.ln.**,READ_DATA,false,",
+                  ",root.ln.**,WRITE_DATA,false,")));
     }
   }
 
diff --git a/integration-test/src/test/java/org/apache/iotdb/pipe/it/manual/IoTDBPipeMetaHistoricalIT.java b/integration-test/src/test/java/org/apache/iotdb/pipe/it/manual/IoTDBPipeMetaHistoricalIT.java
@@ -192,6 +192,7 @@ public void testAuthInclusion() throws Exception {
               "create role `admin`",
               "grant role `admin` to `thulab`",
               "grant read on root.** to role `admin`",
+              "grant manage_database,manage_user,manage_role,use_trigger,use_udf,use_cq,use_pipe on root.** to role `admin`;",
               "create schema template t1 (temperature FLOAT encoding=RLE, status BOOLEAN encoding=PLAIN compression=SNAPPY)",
               "set schema template t1 to root.ln.wf01",
               "create timeseries using schema template on root.ln.wf01.wt01",
@@ -241,7 +242,16 @@ public void testAuthInclusion() throws Exception {
               + ColumnHeaderConstant.GRANT_OPTION
               + ",",
           new HashSet<>(
-              Arrays.asList("admin,root.**,READ_DATA,false,", "admin,root.**,READ_SCHEMA,false,")));
+              Arrays.asList(
+                  "admin,root.**,MANAGE_USER,false,",
+                  "admin,root.**,MANAGE_ROLE,false,",
+                  "admin,root.**,USE_TRIGGER,false,",
+                  "admin,root.**,USE_UDF,false,",
+                  "admin,root.**,USE_CQ,false,",
+                  "admin,root.**,USE_PIPE,false,",
+                  "admin,root.**,MANAGE_DATABASE,false,",
+                  "admin,root.**,READ_DATA,false,",
+                  "admin,root.**,READ_SCHEMA,false,")));
 
       TestUtils.assertDataAlwaysOnEnv(
           receiverEnv,
diff --git a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/extractor/PipeConfigPhysicalPlanPatternParseVisitor.java b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/extractor/PipeConfigPhysicalPlanPatternParseVisitor.java
@@ -19,6 +19,7 @@
 
 package org.apache.iotdb.confignode.manager.pipe.extractor;
 
+import org.apache.iotdb.commons.auth.entity.PrivilegeType;
 import org.apache.iotdb.commons.path.PartialPath;
 import org.apache.iotdb.commons.path.PathPatternTree;
 import org.apache.iotdb.commons.pipe.datastructure.pattern.IoTDBTreePattern;
@@ -50,6 +51,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import java.util.Set;
 import java.util.stream.Collectors;
 import java.util.stream.IntStream;
 import java.util.stream.Stream;
@@ -192,15 +194,21 @@ private Optional<ConfigPhysicalPlan> visitPathRelatedAuthorPlan(
             .map(pattern::getIntersection)
             .flatMap(Collection::stream)
             .collect(Collectors.toList());
-    return !intersectedPaths.isEmpty()
+    final Set<Integer> permissions =
+        !intersectedPaths.isEmpty()
+            ? pathRelatedAuthorPlan.getPermissions()
+            : pathRelatedAuthorPlan.getPermissions().stream()
+                .filter(permission -> !PrivilegeType.values()[permission].isPathRelevant())
+                .collect(Collectors.toSet());
+    return !permissions.isEmpty()
         ? Optional.of(
             new AuthorPlan(
                 pathRelatedAuthorPlan.getAuthorType(),
                 pathRelatedAuthorPlan.getUserName(),
                 pathRelatedAuthorPlan.getRoleName(),
                 pathRelatedAuthorPlan.getPassword(),
                 pathRelatedAuthorPlan.getNewPassword(),
-                pathRelatedAuthorPlan.getPermissions(),
+                permissions,
                 pathRelatedAuthorPlan.getGrantOpt(),
                 intersectedPaths))
         : Optional.empty();
