Skip to content

I
Iotdb

apache / Iotdb
9 个月 前同步成功

通知 25
Star 3344
Fork 916
I
Iotdb

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

未验证 提交 878bb06a 编写于 作者: C Colin Li 提交者: GitHub
浏览文件
操作

Cl auth it (#11064)

上级 98bfde3b
隐藏空白更改
内联 并排
Showing with 353 addition and 60 deletion
integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java
浏览文件 @ 878bb06a
......@@ -19,6 +19,7 @@
package org.apache.iotdb.db.it.auth;
import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.db.queryengine.common.header.ColumnHeaderConstant;
import org.apache.iotdb.it.env.EnvFactory;
import org.apache.iotdb.it.framework.IoTDBTestRunner;
......@@ -488,32 +489,41 @@ public class IoTDBAuthIT {
adminStmt.execute("GRANT READ_SCHEMA ON root.a.b TO USER user1");
adminStmt.execute("CREATE ROLE role1");
adminStmt.execute("GRANT READ_SCHEMA,WRITE_DATA ON root.a.b.c TO ROLE role1");
adminStmt.execute("GRANT READ_SCHEMA,WRITE_DATA ON root.d.b.c TO ROLE role1");
adminStmt.execute("GRANT role1 TO user1");
adminStmt.execute(
"GRANT READ_SCHEMA,WRITE_DATA ON root.d.b.c TO ROLE role1 WITH GRANT OPTION");
adminStmt.execute("GRANT ROLE role1 TO user1");
ResultSet resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1");
ResultSet resultSet = adminStmt.executeQuery("LIST PRIVILEGES OF USER user1");
String ans =
",root.a.b : READ_SCHEMA"
+ ",\n"
+ "role1,root.a.b.c : WRITE_DATA READ_SCHEMA"
+ ",\n"
+ "role1,root.d.b.c : WRITE_DATA READ_SCHEMA"
+ ",\n";
",root.a.b,READ_SCHEMA,false,\n"
+ "role1,root.a.b.c,WRITE_DATA,false,\n"
+ "role1,root.a.b.c,READ_SCHEMA,false,\n"
+ "role1,root.d.b.c,READ_SCHEMA,true,\n"
+ "role1,root.d.b.c,WRITE_DATA,true,\n";
try {
validateResultSet(resultSet, ans);
resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1 ON root.a.b.c");
ans = "role1,root.a.b.c : WRITE_DATA READ_SCHEMA,\n";
validateResultSet(resultSet, ans);
adminStmt.execute("REVOKE role1 from user1");
adminStmt.execute("REVOKE ROLE role1 from user1");
resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1");
ans = ",root.a.b : READ_SCHEMA,\n";
resultSet = adminStmt.executeQuery("LIST PRIVILEGES OF USER user1");
ans = ",root.a.b,READ_SCHEMA,false,\n";
validateResultSet(resultSet, ans);
resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1 ON root.a.**");
ans = ",root.a.b : READ_SCHEMA,\n";
resultSet = adminStmt.executeQuery("LIST PRIVILEGES OF USER root");
ans =
",,MANAGE_USER,true,\n"
+ ",,MANAGE_ROLE,true,\n"
+ ",,USE_TRIGGER,true,\n"
+ ",,USE_UDF,true,\n"
+ ",,USE_CQ,true,\n"
+ ",,USE_PIPE,true,\n"
+ ",,EXTEND_TEMPLATE,true,\n"
+ ",,MANAGE_DATABASE,true,\n"
+ ",,MAINTAIN,true,\n"
+ ",,AUDIT,true,\n"
+ ",root.**,READ_DATA,true,\n"
+ ",root.**,WRITE_DATA,true,\n"
+ ",root.**,READ_SCHEMA,true,\n"
+ ",root.**,WRITE_SCHEMA,true,\n";
validateResultSet(resultSet, ans);
} finally {
resultSet.close();
......@@ -531,30 +541,24 @@ public class IoTDBAuthIT {
try {
adminStmt.execute("CREATE ROLE role1");
ResultSet resultSet = adminStmt.executeQuery("LIST PRIVILEGES ROLE role1");
ResultSet resultSet = adminStmt.executeQuery("LIST PRIVILEGES OF ROLE role1");
String ans = "";
try {
// not granted list role privilege, should return empty
validateResultSet(resultSet, ans);
adminStmt.execute("GRANT ROLE role1 PRIVILEGES READ_SCHEMA,WRITE_DATA ON root.a.b.c");
adminStmt.execute("GRANT ROLE role1 PRIVILEGES READ_SCHEMA,WRITE_DATA ON root.d.b.c");
resultSet = adminStmt.executeQuery("LIST PRIVILEGES ROLE role1");
ans = "root.a.b.c : WRITE_DATA READ_SCHEMA,\n" + "root.d.b.c : WRITE_DATA READ_SCHEMA,\n";
validateResultSet(resultSet, ans);
resultSet = adminStmt.executeQuery("LIST PRIVILEGES ROLE role1 ON root.a.b.c");
ans = "root.a.b.c : WRITE_DATA READ_SCHEMA,\n";
adminStmt.execute("GRANT READ_SCHEMA,WRITE_DATA ON root.a.b.c TO ROLE role1");
adminStmt.execute(
"GRANT READ_SCHEMA,WRITE_DATA ON root.d.b.c TO ROLE role1 WITH GRANT OPTION");
resultSet = adminStmt.executeQuery("LIST PRIVILEGES OF ROLE role1");
ans =
"role1,root.a.b.c,WRITE_DATA,false,\nrole1,root.a.b.c,READ_SCHEMA,false,\nrole1,root.d.b.c,READ_SCHEMA,true,\nrole1,root.d.b.c,WRITE_DATA,true,\n";
validateResultSet(resultSet, ans);
adminStmt.execute("REVOKE ROLE role1 PRIVILEGES READ_SCHEMA,WRITE_DATA ON root.a.b.c");
resultSet = adminStmt.executeQuery("LIST PRIVILEGES ROLE role1");
ans = "root.d.b.c : WRITE_DATA READ_SCHEMA,\n";
validateResultSet(resultSet, ans);
adminStmt.execute("REVOKE READ_SCHEMA,WRITE_DATA ON root.a.b.c FROM ROLE role1");
resultSet = adminStmt.executeQuery("LIST PRIVILEGES ROLE role1 ON root.a.b.c");
ans = "";
resultSet = adminStmt.executeQuery("LIST PRIVILEGES OF ROLE role1");
ans = "role1,root.d.b.c,WRITE_DATA,true,\n" + "role1,root.d.b.c,READ_SCHEMA,true,\n";
validateResultSet(resultSet, ans);
} finally {
resultSet.close();
......@@ -579,19 +583,19 @@ public class IoTDBAuthIT {
adminStmt.execute("CREATE ROLE zhazha");
adminStmt.execute("CREATE ROLE hakase");
adminStmt.execute("GRANT xijing TO chenduxiu");
adminStmt.execute("GRANT dalao TO chenduxiu");
adminStmt.execute("GRANT shenshi TO chenduxiu");
adminStmt.execute("GRANT zhazha TO chenduxiu");
adminStmt.execute("GRANT hakase TO chenduxiu");
adminStmt.execute("GRANT ROLE xijing TO chenduxiu");
adminStmt.execute("GRANT ROLE dalao TO chenduxiu");
adminStmt.execute("GRANT ROLE shenshi TO chenduxiu");
adminStmt.execute("GRANT ROLE zhazha TO chenduxiu");
adminStmt.execute("GRANT ROLE hakase TO chenduxiu");
ResultSet resultSet = adminStmt.executeQuery("LIST ROLE OF USER chenduxiu");
String ans = "xijing,\n" + "dalao,\n" + "shenshi,\n" + "zhazha,\n" + "hakase,\n";
try {
validateResultSet(resultSet, ans);
adminStmt.execute("REVOKE dalao FROM chenduxiu");
adminStmt.execute("REVOKE hakase FROM chenduxiu");
adminStmt.execute("REVOKE ROLE dalao FROM chenduxiu");
adminStmt.execute("REVOKE ROLE hakase FROM chenduxiu");
resultSet = adminStmt.executeQuery("LIST ROLE OF USER chenduxiu");
ans = "xijing,\n" + "shenshi,\n" + "zhazha,\n";
......@@ -634,10 +638,10 @@ public class IoTDBAuthIT {
for (int i = 0; i < members.length - 1; i++) {
adminStmt.execute("CREATE USER " + members[i] + " 'a666666'");
adminStmt.execute("GRANT dalao TO " + members[i]);
adminStmt.execute("GRANT ROLE dalao TO " + members[i]);
}
adminStmt.execute("CREATE USER RiverSky 'a2333333'");
adminStmt.execute("GRANT zhazha TO RiverSky");
adminStmt.execute("GRANT ROLE zhazha TO RiverSky");
ResultSet resultSet = adminStmt.executeQuery("LIST USER OF ROLE dalao");
String ans =
......@@ -662,7 +666,7 @@ public class IoTDBAuthIT {
ans = "RiverSky,\n";
validateResultSet(resultSet, ans);
adminStmt.execute("REVOKE zhazha from RiverSky");
adminStmt.execute("REVOKE ROLE zhazha from RiverSky");
resultSet = adminStmt.executeQuery("LIST USER OF ROLE zhazha");
ans = "";
validateResultSet(resultSet, ans);
......@@ -716,7 +720,7 @@ public class IoTDBAuthIT {
try {
Assert.assertThrows(SQLException.class, () -> userStmt.execute("LIST USER"));
// with list user privilege
adminStmt.execute("GRANT USER tempuser PRIVILEGES MANAGE_USER on root.**");
adminStmt.execute("GRANT MANAGE_USER on root.** TO USER tempuser");
ResultSet resultSet = userStmt.executeQuery("LIST USER");
String ans =
"root,\n"
......@@ -832,4 +836,158 @@ public class IoTDBAuthIT {
}
}
}
@Test
public void testGrantAndGrantOpt() throws SQLException {
// 1. CREATE USER1. USER2. USER3
Connection adminCon = EnvFactory.getEnv().getConnection();
Statement adminStmt = adminCon.createStatement();
adminStmt.execute("CREATE USER user1 'password'");
adminStmt.execute("CREATE USER user2 'password'");
adminStmt.execute("CREATE USER user3 'password'");
adminStmt.execute("CREATE ROLE testRole");
adminStmt.execute("GRANT MANAGE_DATABASE ON root.** TO ROLE testRole WITH GRANT OPTION");
adminStmt.execute("GRANT READ_DATA ON root.t1.** TO ROLE testRole");
adminStmt.execute("GRANT READ_SCHEMA ON root.t3.t2.** TO ROLE testRole WITH GRANT OPTION");
// 2. USER1 has all privileges on root.**
for (PrivilegeType item : PrivilegeType.values()) {
String sql = "GRANT %s on root.** to USER user1";
adminStmt.execute(String.format(sql, item.toString()));
}
// 3.admin lists privileges of user1
ResultSet resultSet = adminStmt.executeQuery("LIST PRIVILEGES OF USER user1");
String ans =
",,MANAGE_USER,false,\n"
+ ",,MANAGE_ROLE,false,\n"
+ ",,USE_TRIGGER,false,\n"
+ ",,USE_UDF,false,\n"
+ ",,USE_CQ,false,\n"
+ ",,USE_PIPE,false,\n"
+ ",,EXTEND_TEMPLATE,false,\n"
+ ",,MANAGE_DATABASE,false,\n"
+ ",,MAINTAIN,false,\n"
+ ",,AUDIT,false,\n"
+ ",root.**,READ_DATA,false,\n"
+ ",root.**,WRITE_DATA,false,\n"
+ ",root.**,READ_SCHEMA,false,\n"
+ ",root.**,WRITE_SCHEMA,false,\n";
validateResultSet(resultSet, ans);
// 4. USER2 has all privilegs on root.** with grant option;
for (PrivilegeType item : PrivilegeType.values()) {
String sql = "GRANT %s on root.** to USER user2 with grant option";
adminStmt.execute(String.format(sql, item.toString()));
}
resultSet = adminStmt.executeQuery("LIST PRIVILEGES OF USER user2");
ans =
",,MANAGE_USER,true,\n"
+ ",,MANAGE_ROLE,true,\n"
+ ",,USE_TRIGGER,true,\n"
+ ",,USE_UDF,true,\n"
+ ",,USE_CQ,true,\n"
+ ",,USE_PIPE,true,\n"
+ ",,EXTEND_TEMPLATE,true,\n"
+ ",,MANAGE_DATABASE,true,\n"
+ ",,MAINTAIN,true,\n"
+ ",,AUDIT,true,\n"
+ ",root.**,READ_DATA,true,\n"
+ ",root.**,WRITE_DATA,true,\n"
+ ",root.**,READ_SCHEMA,true,\n"
+ ",root.**,WRITE_SCHEMA,true,\n";
validateResultSet(resultSet, ans);
// now user1 has all privileges, user2 has all privileges with grant option, user3 doesn't have
// privileges
// 5. Login user1 to list user2 privileges will success
// user1 cannot grant any privilegs to user3
try (Connection userCon = EnvFactory.getEnv().getConnection("user1", "password");
Statement userStmt = userCon.createStatement()) {
try {
resultSet = userStmt.executeQuery("LIST PRIVILEGES OF USER user1");
ans =
",,MANAGE_USER,false,\n"
+ ",,MANAGE_ROLE,false,\n"
+ ",,USE_TRIGGER,false,\n"
+ ",,USE_UDF,false,\n"
+ ",,USE_CQ,false,\n"
+ ",,USE_PIPE,false,\n"
+ ",,EXTEND_TEMPLATE,false,\n"
+ ",,MANAGE_DATABASE,false,\n"
+ ",,MAINTAIN,false,\n"
+ ",,AUDIT,false,\n"
+ ",root.**,READ_DATA,false,\n"
+ ",root.**,WRITE_DATA,false,\n"
+ ",root.**,READ_SCHEMA,false,\n"
+ ",root.**,WRITE_SCHEMA,false,\n";
validateResultSet(resultSet, ans);
Assert.assertThrows(
SQLException.class,
() -> userStmt.execute("GRANT MANAGE_ROLE ON root.** TO USER user3"));
Assert.assertThrows(
SQLException.class,
() -> userStmt.execute("REVOKE MANAGE_ROLE ON root.** FROM USER user2"));
} finally {
userStmt.close();
}
}
// 6.Login user2 grant and revoke will success.
try (Connection userCon = EnvFactory.getEnv().getConnection("user2", "password");
Statement userStmt = userCon.createStatement()) {
try {
resultSet = userStmt.executeQuery("LIST PRIVILEGES OF USER user1");
validateResultSet(resultSet, ans);
userStmt.execute("GRANT MANAGE_ROLE ON root.** TO USER user3");
resultSet = userStmt.executeQuery("LIST PRIVILEGES OF USER user3");
ans = ",,MANAGE_ROLE,false,\n";
validateResultSet(resultSet, ans);
userStmt.execute("REVOKE MANAGE_ROLE ON root.** FROM USER user1");
resultSet = userStmt.executeQuery("LIST PRIVILEGES OF USER user1");
ans =
",,MANAGE_USER,false,\n"
+ ",,USE_TRIGGER,false,\n"
+ ",,USE_UDF,false,\n"
+ ",,USE_CQ,false,\n"
+ ",,USE_PIPE,false,\n"
+ ",,EXTEND_TEMPLATE,false,\n"
+ ",,MANAGE_DATABASE,false,\n"
+ ",,MAINTAIN,false,\n"
+ ",,AUDIT,false,\n"
+ ",root.**,READ_DATA,false,\n"
+ ",root.**,WRITE_DATA,false,\n"
+ ",root.**,READ_SCHEMA,false,\n"
+ ",root.**,WRITE_SCHEMA,false,\n";
validateResultSet(resultSet, ans);
} finally {
userStmt.close();
}
}
adminStmt.execute("GRANT ROLE testRole TO user3");
// now user has:
// 1. MANAGE_ROLE
// 2. MANAGE_DATABASE with grant option
// 3. READ_DATA on root.t1.**
// 4. READ_SCHEMA on root.t3.t2.**
try (Connection userCon = EnvFactory.getEnv().getConnection("user3", "password");
Statement userStmt = userCon.createStatement()) {
try {
// because role's privilege
userStmt.execute("GRANT MANAGE_DATABASE ON root.** TO USER user1");
Assert.assertThrows(
SQLException.class,
() -> userStmt.execute("GRANT READ_DATA ON root.t1.** TO USER user1"));
userStmt.execute("GRANT READ_SCHEMA ON root.t3.t2.t3 TO USER user1");
Assert.assertThrows(
SQLException.class,
() -> userStmt.execute("GRANT READ_DATA ON root.t1.t2.t3 TO USER user1"));
} finally {
userStmt.close();
}
}
adminStmt.close();
}
}
iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/persistence/AuthorInfo.java
浏览文件 @ 878bb06a
......@@ -115,7 +115,7 @@ public class AuthorInfo implements SnapshotProcessor {
return result;
}
// if All paths fail, return No permission;
// if All paths fail, return No permission
// if some paths fail, return SUCCESS and failed index list
// if all path success, return success and empty index list
public TPermissionInfoResp checkUserPrivileges(
......
iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java
浏览文件 @ 878bb06a
......@@ -204,29 +204,26 @@ public class AuthorityChecker {
boolean listRoleUser = false;
if (authResp.tag.equals(IoTDBConstant.COLUMN_ROLE)
|| authResp.tag.equals(IoTDBConstant.COLUMN_USER)) {
// if list role/user, just return 1 column.
listRoleUser = true;
types.add(TSDataType.TEXT);
} else {
// if list privilege, return : rolename, path, privilege, grant option
types.add(TSDataType.TEXT);
types.add(TSDataType.TEXT);
types.add(TSDataType.TEXT);
types.add(TSDataType.BOOLEAN);
}
TsBlockBuilder builder = new TsBlockBuilder(types);
List<ColumnHeader> headerList = new ArrayList<>();
if (listRoleUser) {
headerList.add(new ColumnHeader(authResp.getTag(), TSDataType.TEXT));
types.add(TSDataType.TEXT);
} else {
headerList.add(new ColumnHeader(new String("ROLE"), TSDataType.TEXT));
types.add(TSDataType.TEXT);
headerList.add(new ColumnHeader(new String("PATH"), TSDataType.TEXT));
types.add(TSDataType.TEXT);
headerList.add(new ColumnHeader(new String("PRIVILEGES"), TSDataType.TEXT));
types.add(TSDataType.TEXT);
headerList.add(new ColumnHeader(new String("GRANT OPTION"), TSDataType.BOOLEAN));
types.add(TSDataType.BOOLEAN);
}
TsBlockBuilder builder = new TsBlockBuilder(types);
if (listRoleUser) {
for (String name : authResp.getMemberInfo()) {
builder.getTimeColumnBuilder().writeLong(0L);
......
iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/ClusterAuthorityFetcher.java
浏览文件 @ 878bb06a
......@@ -22,6 +22,7 @@ package org.apache.iotdb.db.auth;
import org.apache.iotdb.common.rpc.thrift.TSStatus;
import org.apache.iotdb.commons.auth.AuthException;
import org.apache.iotdb.commons.auth.entity.PathPrivilege;
import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.auth.entity.Role;
import org.apache.iotdb.commons.auth.entity.User;
import org.apache.iotdb.commons.client.IClientManager;
......@@ -127,7 +128,7 @@ public class ClusterAuthorityFetcher implements IAuthorityFetcher {
boolean grantOpt;
if (user != null) {
if (!user.isOpenIdUser()) {
if (!paths.isEmpty()) {
if (PrivilegeType.values()[permission].isPathRelevant()) {
for (PartialPath path : paths) {
grantOpt = user.checkPathPrivilegeGrantOpt(path, permission);
if (!grantOpt) {
......@@ -152,9 +153,7 @@ public class ClusterAuthorityFetcher implements IAuthorityFetcher {
}
return true;
} else {
grantOpt =
user.getSysPrivilege().contains(permission)
&& user.getSysPriGrantOpt().contains(permission);
grantOpt = user.checkSysPriGrantOpt(permission);
if (!grantOpt) {
for (String roleName : user.getRoleList()) {
Role role = iAuthorCache.getRoleCache(roleName);
......@@ -169,6 +168,7 @@ public class ClusterAuthorityFetcher implements IAuthorityFetcher {
return checkUserPrivilegeGrantOptFromConfigNode(username, paths, permission);
}
}
return false;
} else {
return true;
}
......@@ -363,6 +363,7 @@ public class ClusterAuthorityFetcher implements IAuthorityFetcher {
return iAuthorCache;
}
@Override
public void refreshToken() {
long currentTime = System.currentTimeMillis();
if (heartBeatTimeStamp == 0) {
......
iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/AuthorizerManagerTest.java
浏览文件 @ 878bb06a
......@@ -187,4 +187,117 @@ public class AuthorizerManagerTest {
Assert.assertNull(user1);
Assert.assertNull(role1);
}
@Test
public void grantOptTest() throws IllegalPathException {
User user = new User();
Role role = new Role();
Set<Integer> sysPri = new HashSet<>();
sysPri.add(PrivilegeType.MANAGE_DATABASE.ordinal());
sysPri.add(PrivilegeType.USE_PIPE.ordinal());
user.setSysPrivilegeSet(sysPri);
Set<Integer> sysGrantOpt = new HashSet<>();
sysGrantOpt.add(PrivilegeType.USE_PIPE.ordinal());
user.setSysPriGrantOpt(sysGrantOpt);
List<PathPrivilege> pathList = new ArrayList<>();
PartialPath pathRoot = new PartialPath("root.**");
PartialPath path1 = new PartialPath("root.d1.**");
PathPrivilege priv1 = new PathPrivilege(path1);
priv1.grantPrivilege(PrivilegeType.READ_DATA.ordinal(), false);
priv1.grantPrivilege(PrivilegeType.WRITE_SCHEMA.ordinal(), true);
pathList.add(priv1);
user.setPrivilegeList(pathList);
user.setName("user1");
user.setPassword("123456");
// user's priv:
// 1. MANAGE_DATABASE
// 2. USE_PIPE with grant option
// 3. READ_DATA root.d1.**
// 4. WRITE_SCHEMA root.d1.** with grant option
// role's priv:
// 1. USE_UDF
// 2. USE_CQ with grant option
// 3. READ_DATA root.t9.** with grant option
role.setName("role1");
Set<Integer> sysPriRole = new HashSet<>();
sysPriRole.add(PrivilegeType.USE_UDF.ordinal());
sysPriRole.add(PrivilegeType.USE_CQ.ordinal());
role.setSysPrivilegeSet(sysPriRole);
Set<Integer> sysGrantOptRole = new HashSet<>();
sysGrantOptRole.add(PrivilegeType.USE_CQ.ordinal());
role.setSysPriGrantOpt(sysGrantOptRole);
PathPrivilege privRole = new PathPrivilege(new PartialPath("root.t9.**"));
privRole.grantPrivilege(PrivilegeType.READ_DATA.ordinal(), true);
role.setPrivilegeList(Collections.singletonList(privRole));
user.setRoleList(Collections.singletonList("role1"));
authorityFetcher.getAuthorCache().putUserCache("user1", user);
authorityFetcher.getAuthorCache().putRoleCache("role1", role);
// for system priv. we have USE_PIPE grant option.
Assert.assertTrue(
authorityFetcher.checkUserPrivilegeGrantOpt(
"user1", Collections.singletonList(pathRoot), PrivilegeType.USE_PIPE.ordinal()));
Assert.assertFalse(
authorityFetcher.checkUserPrivilegeGrantOpt(
"user1", Collections.singletonList(pathRoot), PrivilegeType.MANAGE_USER.ordinal()));
// for path priv. we have write_schema on root.d1.** with grant option.
// require root.d1.** with write_schema, return true
Assert.assertTrue(
authorityFetcher.checkUserPrivilegeGrantOpt(
"user1", Collections.singletonList(path1), PrivilegeType.WRITE_SCHEMA.ordinal()));
// require root.** with write_schema, return false
Assert.assertFalse(
authorityFetcher.checkUserPrivilegeGrantOpt(
"user1", Collections.singletonList(pathRoot), PrivilegeType.WRITE_SCHEMA.ordinal()));
// reuqire root.d1.d2 with write_schema, return true
Assert.assertTrue(
authorityFetcher.checkUserPrivilegeGrantOpt(
"user1",
Collections.singletonList(new PartialPath(new String("root.d1.d2"))),
PrivilegeType.WRITE_SCHEMA.ordinal()));
// require root.d1.d2 with read_schema, return false
Assert.assertFalse(
authorityFetcher.checkUserPrivilegeGrantOpt(
"user1",
Collections.singletonList(new PartialPath(new String("root.d1.d2"))),
PrivilegeType.READ_SCHEMA.ordinal()));
// role test
Assert.assertTrue(
authorityFetcher.checkUserPrivilegeGrantOpt(
"user1",
Collections.singletonList(new PartialPath(new String("root.t9.**"))),
PrivilegeType.READ_DATA.ordinal()));
Assert.assertTrue(
authorityFetcher.checkUserPrivilegeGrantOpt(
"user1",
Collections.singletonList(new PartialPath(new String("root.t9.t10"))),
PrivilegeType.READ_DATA.ordinal()));
Assert.assertFalse(
authorityFetcher.checkUserPrivilegeGrantOpt(
"user1",
Collections.singletonList(new PartialPath(new String("root.t9.**"))),
PrivilegeType.WRITE_DATA.ordinal()));
Assert.assertFalse(
authorityFetcher.checkUserPrivilegeGrantOpt(
"user1", Collections.singletonList(pathRoot), PrivilegeType.USE_TRIGGER.ordinal()));
Assert.assertTrue(
authorityFetcher.checkUserPrivilegeGrantOpt(
"user1", Collections.singletonList(pathRoot), PrivilegeType.USE_CQ.ordinal()));
}
}
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/Role.java
浏览文件 @ 878bb06a
......@@ -222,6 +222,9 @@ public class Role {
return sysPrivilegeSet.contains(privilegeId);
}
public boolean checkSysPriGrantOpt(int privilegeId) {
return sysPrivilegeSet.contains(privilegeId) && sysPriGrantOpt.contains(privilegeId);
}
/** ----------- misc --------------------* */
@Override
public boolean equals(Object o) {
......
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java
浏览文件 @ 878bb06a
......@@ -19,9 +19,13 @@
package org.apache.iotdb.commons.auth.user;
import org.apache.iotdb.commons.auth.AuthException;
import org.apache.iotdb.commons.auth.entity.PathPrivilege;
import org.apache.iotdb.commons.auth.entity.PrivilegeType;
import org.apache.iotdb.commons.auth.entity.User;
import org.apache.iotdb.commons.concurrent.HashLock;
import org.apache.iotdb.commons.conf.CommonDescriptor;
import org.apache.iotdb.commons.conf.IoTDBConstant;
import org.apache.iotdb.commons.exception.IllegalPathException;
import org.apache.iotdb.commons.path.PartialPath;
import org.apache.iotdb.commons.utils.AuthUtils;
import org.apache.iotdb.rpc.TSStatusCode;
......@@ -84,6 +88,23 @@ public abstract class BasicUserManager implements IUserManager {
true);
setUserUseWaterMark(CommonDescriptor.getInstance().getConfig().getAdminName(), false);
}
admin = getUser(CommonDescriptor.getInstance().getConfig().getAdminName());
try {
PartialPath rootPath = new PartialPath(new String(IoTDBConstant.PATH_ROOT + ".**"));
PathPrivilege pathPri = new PathPrivilege(rootPath);
for (PrivilegeType item : PrivilegeType.values()) {
if (!item.isPathRelevant()) {
admin.getSysPrivilege().add(item.ordinal());
admin.getSysPriGrantOpt().add(item.ordinal());
} else {
pathPri.grantPrivilege(item.ordinal(), true);
}
}
admin.getPathPrivilegeList().add(pathPri);
} catch (IllegalPathException e) {
// This error only results in a lack of permissions for list.
logger.warn("Got an wrong path for root to init");
}
logger.info("Admin initialized");
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册