Skip to content

Commit b054a0f

Browse files
CaideyipiCaideyipi
committed
fix
1 parent e196254 commit b054a0f

File tree

4 files changed

+162
-90
lines changed

4 files changed

+162
-90
lines changed

iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/ConfigManager.java

Lines changed: 0 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -1353,23 +1353,6 @@ public TAuthizedPatternTreeResp fetchAuthizedPatternTree(String username, int pe
13531353
}
13541354
}
13551355

1356-
public TPermissionInfoResp checkUserPrivilegeGrantOpt(String username, PrivilegeUnion union) {
1357-
TSStatus status = confirmLeader();
1358-
TPermissionInfoResp resp = new TPermissionInfoResp();
1359-
if (status.getCode() == TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
1360-
try {
1361-
resp = permissionManager.checkUserPrivilegeGrantOpt(username, union);
1362-
} catch (AuthException e) {
1363-
status.setCode(e.getCode().getStatusCode()).setMessage(e.getMessage());
1364-
resp.setStatus(status);
1365-
return resp;
1366-
}
1367-
} else {
1368-
resp.setStatus(status);
1369-
}
1370-
return resp;
1371-
}
1372-
13731356
public TPermissionInfoResp checkRoleOfUser(String username, String rolename) {
13741357
TSStatus status = confirmLeader();
13751358
TPermissionInfoResp resp = new TPermissionInfoResp();

iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/PermissionManager.java

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -134,12 +134,6 @@ public PathPatternTree fetchRawAuthorizedPTree(final String userName, final Priv
134134
return authorInfo.generateRawAuthorizedPTree(userName, type);
135135
}
136136

137-
public TPermissionInfoResp checkUserPrivilegeGrantOpt(String username, PrivilegeUnion union)
138-
throws AuthException {
139-
union.setGrantOption(true);
140-
return authorInfo.checkUserPrivileges(username, union);
141-
}
142-
143137
public TPermissionInfoResp checkRoleOfUser(String username, String rolename)
144138
throws AuthException {
145139
return authorInfo.checkRoleOfUser(username, rolename);

iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/receiver/protocol/IoTDBConfigNodeReceiver.java

Lines changed: 125 additions & 64 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@
2020
package org.apache.iotdb.confignode.manager.pipe.receiver.protocol;
2121

2222
import org.apache.iotdb.common.rpc.thrift.TSStatus;
23+
import org.apache.iotdb.commons.audit.AuditLogOperation;
2324
import org.apache.iotdb.commons.audit.IAuditEntity;
2425
import org.apache.iotdb.commons.auth.entity.PrivilegeType;
2526
import org.apache.iotdb.commons.auth.entity.PrivilegeUnion;
@@ -148,6 +149,7 @@
148149
import java.util.Set;
149150
import java.util.concurrent.atomic.AtomicInteger;
150151

152+
import static org.apache.iotdb.confignode.manager.pipe.source.PipeConfigTreePrivilegeParseVisitor.checkGlobalOrAnyStatus;
151153
import static org.apache.iotdb.confignode.manager.pipe.source.PipeConfigTreePrivilegeParseVisitor.checkGlobalStatus;
152154
import static org.apache.iotdb.confignode.manager.pipe.source.PipeConfigTreePrivilegeParseVisitor.checkPathsStatus;
153155

@@ -193,6 +195,7 @@ public TPipeTransferResp receive(final TPipeTransferReq req) {
193195
resp =
194196
handleTransferHandshakeV2(
195197
PipeTransferConfigNodeHandshakeV2Req.fromTPipeTransferReq(req));
198+
userEntity.setAuditLogOperation(AuditLogOperation.DDL);
196199
PipeConfigNodeReceiverMetrics.getInstance()
197200
.recordHandshakeConfigNodeV2Timer(System.nanoTime() - startTime);
198201
return resp;
@@ -302,11 +305,12 @@ private TSStatus checkPermission(final ConfigPhysicalPlan plan) throws IOExcepti
302305
final String database;
303306
final String templateName;
304307
final String triggerName;
308+
final String entityName;
305309
switch (plan.getType()) {
306310
case CreateDatabase:
307311
database = ((DatabaseSchemaPlan) plan).getSchema().getName();
308312
if (PathUtils.isTableModelDatabase(database)) {
309-
status = checkDatabaseStatus(userEntity, PrivilegeType.CREATE, database, false);
313+
status = checkDatabaseStatus(userEntity, PrivilegeType.CREATE, database);
310314
if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
311315
return checkGlobalStatus(userEntity, PrivilegeType.SYSTEM, database, true);
312316
}
@@ -315,7 +319,7 @@ private TSStatus checkPermission(final ConfigPhysicalPlan plan) throws IOExcepti
315319
case AlterDatabase:
316320
database = ((DatabaseSchemaPlan) plan).getSchema().getName();
317321
if (PathUtils.isTableModelDatabase(database)) {
318-
status = checkDatabaseStatus(userEntity, PrivilegeType.ALTER, database, false);
322+
status = checkDatabaseStatus(userEntity, PrivilegeType.ALTER, database);
319323
if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
320324
return checkGlobalStatus(userEntity, PrivilegeType.SYSTEM, database, true);
321325
}
@@ -324,7 +328,7 @@ private TSStatus checkPermission(final ConfigPhysicalPlan plan) throws IOExcepti
324328
case DeleteDatabase:
325329
database = ((DeleteDatabasePlan) plan).getName();
326330
if (PathUtils.isTableModelDatabase(database)) {
327-
status = checkDatabaseStatus(userEntity, PrivilegeType.DELETE, database, false);
331+
status = checkDatabaseStatus(userEntity, PrivilegeType.DELETE, database);
328332
if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
329333
return checkGlobalStatus(userEntity, PrivilegeType.SYSTEM, database, true);
330334
}
@@ -445,8 +449,7 @@ private TSStatus checkPermission(final ConfigPhysicalPlan plan) throws IOExcepti
445449
userEntity,
446450
PrivilegeType.CREATE,
447451
((PipeCreateTableOrViewPlan) plan).getDatabase(),
448-
((PipeCreateTableOrViewPlan) plan).getTable().getTableName(),
449-
true);
452+
((PipeCreateTableOrViewPlan) plan).getTable().getTableName());
450453
case AddTableColumn:
451454
case AddViewColumn:
452455
case SetTableProperties:
@@ -464,128 +467,175 @@ private TSStatus checkPermission(final ConfigPhysicalPlan plan) throws IOExcepti
464467
userEntity,
465468
PrivilegeType.ALTER,
466469
((AbstractTablePlan) plan).getDatabase(),
467-
((AbstractTablePlan) plan).getTableName(),
468-
true);
470+
((AbstractTablePlan) plan).getTableName());
469471
case CommitDeleteTable:
470472
case CommitDeleteView:
471473
return checkTableStatus(
472474
userEntity,
473475
PrivilegeType.DELETE,
474476
((CommitDeleteTablePlan) plan).getDatabase(),
475-
((CommitDeleteTablePlan) plan).getTableName(),
476-
true);
477+
((CommitDeleteTablePlan) plan).getTableName());
477478
case GrantRole:
478479
case GrantUser:
479480
case RevokeUser:
480481
case RevokeRole:
482+
entityName =
483+
plan.getType() == ConfigPhysicalPlanType.GrantUser
484+
|| plan.getType() == ConfigPhysicalPlanType.RevokeUser
485+
? ((AuthorPlan) plan).getUserName()
486+
: ((AuthorPlan) plan).getRoleName();
487+
status = checkGlobalStatus(userEntity, PrivilegeType.SECURITY, entityName, false);
488+
if (status.getCode() == TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
489+
return status;
490+
}
481491
for (final int permission : ((AuthorTreePlan) plan).getPermissions()) {
482492
status =
483-
configManager
484-
.checkUserPrivilegeGrantOpt(
485-
username,
486-
PrivilegeType.values()[permission].isPathPrivilege()
487-
? new PrivilegeUnion(
488-
((AuthorTreePlan) plan).getNodeNameList(),
489-
PrivilegeType.values()[permission],
490-
true)
491-
: new PrivilegeUnion(PrivilegeType.values()[permission], true))
492-
.getStatus();
493+
PrivilegeType.values()[permission].isPathPrivilege()
494+
? checkPathsStatus(
495+
userEntity,
496+
PrivilegeType.values()[permission],
497+
((AuthorTreePlan) plan).getNodeNameList(),
498+
false,
499+
entityName)
500+
: checkGlobalStatus(
501+
userEntity, PrivilegeType.values()[permission], entityName, false, true);
493502
if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
494503
return status;
495504
}
496505
}
506+
configManager
507+
.getAuditLogger()
508+
.recordAuditLog(
509+
userEntity.setPrivilegeType(PrivilegeType.SECURITY).setResult(true),
510+
() -> entityName);
497511
return StatusUtils.OK;
498512
case RGrantUserAny:
499513
case RGrantRoleAny:
500514
case RRevokeUserAny:
501515
case RRevokeRoleAny:
516+
entityName =
517+
plan.getType() == ConfigPhysicalPlanType.RGrantUserAny
518+
|| plan.getType() == ConfigPhysicalPlanType.RRevokeUserAny
519+
? ((AuthorPlan) plan).getUserName()
520+
: ((AuthorPlan) plan).getRoleName();
502521
for (final int permission : ((AuthorRelationalPlan) plan).getPermissions()) {
503522
status =
504-
configManager
505-
.checkUserPrivileges(
506-
username, new PrivilegeUnion(PrivilegeType.values()[permission], true, true))
507-
.getStatus();
523+
checkGlobalOrAnyStatus(
524+
userEntity, PrivilegeType.values()[permission], entityName, false, true, true);
508525
if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
509526
return status;
510527
}
511528
}
529+
configManager
530+
.getAuditLogger()
531+
.recordAuditLog(
532+
userEntity.setPrivilegeType(PrivilegeType.SECURITY).setResult(true),
533+
() -> entityName);
512534
return StatusUtils.OK;
513535
case RGrantUserAll:
514536
case RGrantRoleAll:
515537
case RRevokeUserAll:
516538
case RRevokeRoleAll:
539+
entityName =
540+
plan.getType() == ConfigPhysicalPlanType.RGrantUserAll
541+
|| plan.getType() == ConfigPhysicalPlanType.RRevokeUserAll
542+
? ((AuthorPlan) plan).getUserName()
543+
: ((AuthorPlan) plan).getRoleName();
517544
for (PrivilegeType privilegeType : PrivilegeType.values()) {
518545
if (privilegeType.isRelationalPrivilege()) {
519546
status =
520-
configManager
521-
.checkUserPrivileges(username, new PrivilegeUnion(privilegeType, true, true))
522-
.getStatus();
547+
checkGlobalOrAnyStatus(userEntity, privilegeType, entityName, false, true, true);
523548
} else if (privilegeType.forRelationalSys()) {
524-
status =
525-
configManager
526-
.checkUserPrivileges(username, new PrivilegeUnion(privilegeType, true))
527-
.getStatus();
549+
status = checkGlobalStatus(userEntity, privilegeType, entityName, false, true);
528550
} else {
529551
continue;
530552
}
531553
if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
532554
return status;
533555
}
534556
}
557+
configManager
558+
.getAuditLogger()
559+
.recordAuditLog(
560+
userEntity.setPrivilegeType(PrivilegeType.SECURITY).setResult(true),
561+
() -> entityName);
535562
return StatusUtils.OK;
536563
case RGrantUserDBPriv:
537564
case RGrantRoleDBPriv:
538565
case RRevokeUserDBPriv:
539566
case RRevokeRoleDBPriv:
567+
entityName =
568+
plan.getType() == ConfigPhysicalPlanType.RGrantUserDBPriv
569+
|| plan.getType() == ConfigPhysicalPlanType.RRevokeUserDBPriv
570+
? ((AuthorPlan) plan).getUserName()
571+
: ((AuthorPlan) plan).getRoleName();
540572
for (final int permission : ((AuthorRelationalPlan) plan).getPermissions()) {
541573
status =
542-
configManager
543-
.checkUserPrivileges(
544-
username,
545-
new PrivilegeUnion(
546-
((AuthorRelationalPlan) plan).getDatabaseName(),
547-
PrivilegeType.values()[permission],
548-
true))
549-
.getStatus();
574+
checkDatabaseStatus(
575+
userEntity,
576+
PrivilegeType.values()[permission],
577+
((AuthorRelationalPlan) plan).getDatabaseName(),
578+
true);
550579
if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
551580
return status;
552581
}
553582
}
583+
configManager
584+
.getAuditLogger()
585+
.recordAuditLog(
586+
userEntity.setPrivilegeType(PrivilegeType.SECURITY).setResult(true),
587+
() -> entityName);
554588
return StatusUtils.OK;
555589
case RGrantUserTBPriv:
556590
case RGrantRoleTBPriv:
557591
case RRevokeUserTBPriv:
558592
case RRevokeRoleTBPriv:
593+
entityName =
594+
plan.getType() == ConfigPhysicalPlanType.RGrantUserTBPriv
595+
|| plan.getType() == ConfigPhysicalPlanType.RRevokeUserTBPriv
596+
? ((AuthorPlan) plan).getUserName()
597+
: ((AuthorPlan) plan).getRoleName();
559598
for (final int permission : ((AuthorRelationalPlan) plan).getPermissions()) {
560599
status =
561-
configManager
562-
.checkUserPrivileges(
563-
username,
564-
new PrivilegeUnion(
565-
((AuthorRelationalPlan) plan).getDatabaseName(),
566-
((AuthorRelationalPlan) plan).getTableName(),
567-
PrivilegeType.values()[permission],
568-
true))
569-
.getStatus();
600+
checkTableStatus(
601+
userEntity,
602+
PrivilegeType.values()[permission],
603+
((AuthorRelationalPlan) plan).getDatabaseName(),
604+
((AuthorRelationalPlan) plan).getTableName(),
605+
false,
606+
true);
570607
if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
571608
return status;
572609
}
573610
}
611+
configManager
612+
.getAuditLogger()
613+
.recordAuditLog(
614+
userEntity.setPrivilegeType(PrivilegeType.SECURITY).setResult(true),
615+
() -> entityName);
574616
return StatusUtils.OK;
575617
case RGrantUserSysPri:
576618
case RGrantRoleSysPri:
577619
case RRevokeUserSysPri:
578620
case RRevokeRoleSysPri:
621+
entityName =
622+
plan.getType() == ConfigPhysicalPlanType.RGrantUserSysPri
623+
|| plan.getType() == ConfigPhysicalPlanType.RRevokeUserSysPri
624+
? ((AuthorPlan) plan).getUserName()
625+
: ((AuthorPlan) plan).getRoleName();
579626
for (final int permission : ((AuthorRelationalPlan) plan).getPermissions()) {
580627
status =
581-
configManager
582-
.checkUserPrivileges(
583-
username, new PrivilegeUnion(PrivilegeType.values()[permission], true))
584-
.getStatus();
628+
checkGlobalStatus(
629+
userEntity, PrivilegeType.values()[permission], entityName, false, true);
585630
if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
586631
return status;
587632
}
588633
}
634+
configManager
635+
.getAuditLogger()
636+
.recordAuditLog(
637+
userEntity.setPrivilegeType(PrivilegeType.SECURITY).setResult(true),
638+
() -> entityName);
589639
return StatusUtils.OK;
590640
case UpdateUser:
591641
case UpdateUserV2:
@@ -623,21 +673,24 @@ username, new PrivilegeUnion(PrivilegeType.values()[permission], true))
623673
}
624674
}
625675

626-
public static TSStatus checkDatabaseStatus(
676+
private TSStatus checkDatabaseStatus(
677+
final IAuditEntity userEntity, final PrivilegeType privilegeType, final String database) {
678+
return checkDatabaseStatus(userEntity, privilegeType, database, false);
679+
}
680+
681+
private TSStatus checkDatabaseStatus(
627682
final IAuditEntity userEntity,
628683
final PrivilegeType privilegeType,
629684
final String database,
630-
final boolean isLastCheck) {
631-
final ConfigManager configManager = ConfigNode.getInstance().getConfigManager();
632-
final CNAuditLogger logger = configManager.getAuditLogger();
685+
final boolean grantOption) {
633686
final TSStatus result =
634687
configManager
635688
.getPermissionManager()
636689
.checkUserPrivileges(
637-
userEntity.getUsername(), new PrivilegeUnion(database, privilegeType))
690+
userEntity.getUsername(), new PrivilegeUnion(database, privilegeType, grantOption))
638691
.getStatus();
639-
if (result.getCode() == TSStatusCode.SUCCESS_STATUS.getStatusCode() || isLastCheck) {
640-
logger.recordAuditLog(
692+
if (result.getCode() == TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
693+
auditLogger.recordAuditLog(
641694
userEntity
642695
.setPrivilegeType(privilegeType)
643696
.setResult(result.getCode() == TSStatusCode.SUCCESS_STATUS.getStatusCode()),
@@ -646,22 +699,30 @@ public static TSStatus checkDatabaseStatus(
646699
return result;
647700
}
648701

649-
public static TSStatus checkTableStatus(
702+
private TSStatus checkTableStatus(
703+
final IAuditEntity userEntity,
704+
final PrivilegeType privilegeType,
705+
final String database,
706+
final String tableName) {
707+
return checkTableStatus(userEntity, privilegeType, database, tableName, true, false);
708+
}
709+
710+
private TSStatus checkTableStatus(
650711
final IAuditEntity userEntity,
651712
final PrivilegeType privilegeType,
652713
final String database,
653714
final String tableName,
654-
final boolean isLastCheck) {
655-
final ConfigManager configManager = ConfigNode.getInstance().getConfigManager();
656-
final CNAuditLogger logger = configManager.getAuditLogger();
715+
final boolean isLastCheck,
716+
final boolean grantOption) {
657717
final TSStatus result =
658718
configManager
659719
.getPermissionManager()
660720
.checkUserPrivileges(
661-
userEntity.getUsername(), new PrivilegeUnion(database, tableName, privilegeType))
721+
userEntity.getUsername(),
722+
new PrivilegeUnion(database, tableName, privilegeType, grantOption))
662723
.getStatus();
663724
if (result.getCode() == TSStatusCode.SUCCESS_STATUS.getStatusCode() || isLastCheck) {
664-
logger.recordAuditLog(
725+
auditLogger.recordAuditLog(
665726
userEntity
666727
.setPrivilegeType(privilegeType)
667728
.setResult(result.getCode() == TSStatusCode.SUCCESS_STATUS.getStatusCode()),

0 commit comments

Comments
 (0)