hdx

Caideyipi · Caideyipi · commit e39c9c4c5b5d · 2025-12-26T19:10:19.000+08:00
diff --git a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/receiver/protocol/IoTDBConfigNodeReceiver.java b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/receiver/protocol/IoTDBConfigNodeReceiver.java
@@ -82,6 +82,7 @@
 import org.apache.iotdb.confignode.consensus.request.write.table.view.SetViewCommentPlan;
 import org.apache.iotdb.confignode.consensus.request.write.table.view.SetViewPropertiesPlan;
 import org.apache.iotdb.confignode.consensus.request.write.template.CommitSetSchemaTemplatePlan;
+import org.apache.iotdb.confignode.consensus.request.write.template.CreateSchemaTemplatePlan;
 import org.apache.iotdb.confignode.consensus.request.write.template.ExtendSchemaTemplatePlan;
 import org.apache.iotdb.confignode.consensus.request.write.trigger.DeleteTriggerInTablePlan;
 import org.apache.iotdb.confignode.manager.ConfigManager;
@@ -146,6 +147,7 @@
 import java.util.concurrent.atomic.AtomicInteger;
 
 import static org.apache.iotdb.confignode.manager.pipe.source.PipeConfigTreePrivilegeParseVisitor.checkGlobalStatus;
+import static org.apache.iotdb.confignode.manager.pipe.source.PipeConfigTreePrivilegeParseVisitor.checkPathsStatus;
 
 public class IoTDBConfigNodeReceiver extends IoTDBFileReceiver {
 
@@ -296,6 +298,7 @@ private TSStatus checkPermission(final ConfigPhysicalPlan plan) throws IOExcepti
     }
 
     String database;
+    String templateName;
     switch (plan.getType()) {
       case CreateDatabase:
         database = ((DatabaseSchemaPlan) plan).getSchema().getName();
@@ -331,23 +334,22 @@ private TSStatus checkPermission(final ConfigPhysicalPlan plan) throws IOExcepti
             ((ExtendSchemaTemplatePlan) plan).getTemplateExtendInfo().getTemplateName(),
             true);
       case CreateSchemaTemplate:
+        templateName = ((CreateSchemaTemplatePlan) plan).getTemplate().getName();
+        return checkGlobalStatus(userEntity, PrivilegeType.SYSTEM, templateName, true);
       case CommitSetSchemaTemplate:
+        templateName = ((CommitSetSchemaTemplatePlan) plan).getName();
+        return checkGlobalStatus(userEntity, PrivilegeType.SYSTEM, templateName, true);
       case PipeUnsetTemplate:
-        return CommonDescriptor.getInstance().getConfig().getDefaultAdminName().equals(username)
-            ? StatusUtils.OK
-            : new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
-                .setMessage("Only the admin user can perform this operation");
+        templateName = ((PipeUnsetSchemaTemplatePlan) plan).getName();
+        return checkGlobalStatus(userEntity, PrivilegeType.SYSTEM, templateName, true);
       case PipeDeleteTimeSeries:
-        return configManager
-            .checkUserPrivileges(
-                username,
-                new PrivilegeUnion(
-                    new ArrayList<>(
-                        PathPatternTree.deserialize(
-                                ((PipeDeleteTimeSeriesPlan) plan).getPatternTreeBytes())
-                            .getAllPathPatterns()),
-                    PrivilegeType.WRITE_SCHEMA))
-            .getStatus();
+        return checkPathsStatus(
+            userEntity,
+            PrivilegeType.WRITE_SCHEMA,
+            new ArrayList<>(
+                PathPatternTree.deserialize(((PipeDeleteTimeSeriesPlan) plan).getPatternTreeBytes())
+                    .getAllPathPatterns()),
+            true);
       case PipeAlterEncodingCompressor:
         // Judge here in the future
         if (configManager
@@ -376,37 +378,30 @@ private TSStatus checkPermission(final ConfigPhysicalPlan plan) throws IOExcepti
                       .serialize());
           return StatusUtils.OK;
         } else {
-          return configManager
-              .checkUserPrivileges(
-                  username,
-                  new PrivilegeUnion(
-                      new ArrayList<>(
-                          PathPatternTree.deserialize(
-                                  ((PipeAlterEncodingCompressorPlan) plan).getPatternTreeBytes())
-                              .getAllPathPatterns()),
-                      PrivilegeType.WRITE_SCHEMA))
-              .getStatus();
+          return checkPathsStatus(
+              userEntity,
+              PrivilegeType.WRITE_SCHEMA,
+              new ArrayList<>(
+                  PathPatternTree.deserialize(
+                          ((PipeAlterEncodingCompressorPlan) plan).getPatternTreeBytes())
+                      .getAllPathPatterns()),
+              true);
         }
       case PipeDeleteLogicalView:
-        return configManager
-            .checkUserPrivileges(
-                username,
-                new PrivilegeUnion(
-                    new ArrayList<>(
-                        PathPatternTree.deserialize(
-                                ((PipeDeleteLogicalViewPlan) plan).getPatternTreeBytes())
-                            .getAllPathPatterns()),
-                    PrivilegeType.WRITE_SCHEMA))
-            .getStatus();
+        return checkPathsStatus(
+            userEntity,
+            PrivilegeType.WRITE_SCHEMA,
+            new ArrayList<>(
+                PathPatternTree.deserialize(
+                        ((PipeDeleteLogicalViewPlan) plan).getPatternTreeBytes())
+                    .getAllPathPatterns()),
+            true);
       case PipeDeactivateTemplate:
-        return configManager
-            .checkUserPrivileges(
-                username,
-                new PrivilegeUnion(
-                    new ArrayList<>(
-                        ((PipeDeactivateTemplatePlan) plan).getTemplateSetInfo().keySet()),
-                    PrivilegeType.WRITE_SCHEMA))
-            .getStatus();
+        return checkPathsStatus(
+            userEntity,
+            PrivilegeType.WRITE_SCHEMA,
+            new ArrayList<>(((PipeDeactivateTemplatePlan) plan).getTemplateSetInfo().keySet()),
+            true);
       case SetTTL:
         return Objects.equals(
                 configManager
diff --git a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/source/PipeConfigTreePrivilegeParseVisitor.java b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/source/PipeConfigTreePrivilegeParseVisitor.java
@@ -51,6 +51,8 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import javax.annotation.Nonnull;
+
 import java.io.IOException;
 import java.util.Arrays;
 import java.util.Collections;
@@ -441,13 +443,34 @@ public static boolean hasGlobalPrivilege(
         == TSStatusCode.SUCCESS_STATUS.getStatusCode();
   }
 
+  public static TSStatus checkPathsStatus(
+      final IAuditEntity userEntity,
+      final PrivilegeType privilegeType,
+      final @Nonnull List<PartialPath> paths,
+      final boolean isLastCheck) {
+    final ConfigManager configManager = ConfigNode.getInstance().getConfigManager();
+    final CNAuditLogger logger = configManager.getAuditLogger();
+    final TSStatus result =
+        ConfigNode.getInstance()
+            .getConfigManager()
+            .getPermissionManager()
+            .checkUserPrivileges(userEntity.getUsername(), new PrivilegeUnion(paths, privilegeType))
+            .getStatus();
+    if (result.getCode() == TSStatusCode.SUCCESS_STATUS.getStatusCode() || isLastCheck) {
+      logger.recordAuditLog(
+          userEntity
+              .setPrivilegeType(PrivilegeType.READ_SCHEMA)
+              .setResult(result.getCode() == TSStatusCode.SUCCESS_STATUS.getStatusCode()),
+          paths::toString);
+    }
+    return result;
+  }
+
   private boolean hasReadPrivilege(
       final IAuditEntity userEntity,
       final String path,
       final boolean withWildcard,
       final boolean isLastCheck) {
-    final ConfigManager configManager = ConfigNode.getInstance().getConfigManager();
-    final CNAuditLogger logger = configManager.getAuditLogger();
     PartialPath partialPath;
     try {
       partialPath = new PartialPath(path);
@@ -458,21 +481,12 @@ private boolean hasReadPrivilege(
     if (withWildcard) {
       partialPath = partialPath.concatNode(MULTI_LEVEL_PATH_WILDCARD);
     }
-    final boolean result =
-        ConfigNode.getInstance()
-                .getConfigManager()
-                .getPermissionManager()
-                .checkUserPrivileges(
-                    userEntity.getUsername(),
-                    new PrivilegeUnion(
-                        Collections.singletonList(partialPath), PrivilegeType.READ_SCHEMA))
-                .getStatus()
-                .getCode()
-            == TSStatusCode.SUCCESS_STATUS.getStatusCode();
-    if (result || isLastCheck) {
-      logger.recordAuditLog(
-          userEntity.setPrivilegeType(PrivilegeType.READ_SCHEMA).setResult(result), () -> path);
-    }
-    return result;
+    return checkPathsStatus(
+                userEntity,
+                PrivilegeType.READ_SCHEMA,
+                Collections.singletonList(partialPath),
+                isLastCheck)
+            .getCode()
+        == TSStatusCode.SUCCESS_STATUS.getStatusCode();
   }
 }
