parAuthenticator.c 10.2 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
/*
 * Copyright (c) 2019 TAOS Data, Inc. <jhtao@taosdata.com>
 *
 * This program is free software: you can use, redistribute, and/or modify
 * it under the terms of the GNU Affero General Public License, version 3
 * or later ("AGPL"), as published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */

#include "catalog.h"
X
Xiaoyu Wang 已提交
17
#include "cmdnodes.h"
18 19 20
#include "parInt.h"

typedef struct SAuthCxt {
21 22 23
  SParseContext*   pParseCxt;
  SParseMetaCache* pMetaCache;
  int32_t          errCode;
24 25
} SAuthCxt;

26 27 28 29 30
typedef struct SSelectAuthCxt {
  SAuthCxt*    pAuthCxt;
  SSelectStmt* pSelect;
} SSelectAuthCxt;

31 32
static int32_t authQuery(SAuthCxt* pCxt, SNode* pStmt);

X
Xiaoyu Wang 已提交
33 34 35 36 37 38 39 40 41 42 43 44
static void setUserAuthInfo(SParseContext* pCxt, const char* pDbName, const char* pTabName, AUTH_TYPE type,
                            SUserAuthInfo* pAuth) {
  snprintf(pAuth->user, sizeof(pAuth->user), "%s", pCxt->pUser);
  if (NULL == pTabName) {
    tNameSetDbName(&pAuth->tbName, pCxt->acctId, pDbName, strlen(pDbName));
  } else {
    toName(pCxt->acctId, pDbName, pTabName, &pAuth->tbName);
  }
  pAuth->type = type;
}

static int32_t checkAuth(SAuthCxt* pCxt, const char* pDbName, const char* pTabName, AUTH_TYPE type, SNode** pCond) {
45 46
  SParseContext* pParseCxt = pCxt->pParseCxt;
  if (pParseCxt->isSuperUser) {
47 48
    return TSDB_CODE_SUCCESS;
  }
X
Xiaoyu Wang 已提交
49 50 51 52 53

  SUserAuthInfo authInfo = {0};
  setUserAuthInfo(pCxt->pParseCxt, pDbName, pTabName, type, &authInfo);
  int32_t      code = TSDB_CODE_SUCCESS;
  SUserAuthRes authRes = {0};
54
  if (NULL != pCxt->pMetaCache) {
X
Xiaoyu Wang 已提交
55
    code = getUserAuthFromCache(pCxt->pMetaCache, &authInfo, &authRes);
56
  } else {
57
    SRequestConnInfo conn = {.pTrans = pParseCxt->pTransporter,
D
dapan1121 已提交
58 59 60
                             .requestId = pParseCxt->requestId,
                             .requestObjRefId = pParseCxt->requestRid,
                             .mgmtEps = pParseCxt->mgmtEpSet};
D
dapan1121 已提交
61
    code = catalogChkAuth(pParseCxt->pCatalog, &conn, &authInfo, &authRes);
62
  }
X
Xiaoyu Wang 已提交
63 64 65 66
  if (TSDB_CODE_SUCCESS == code && NULL != pCond) {
    *pCond = authRes.pCond;
  }
  return TSDB_CODE_SUCCESS == code ? (authRes.pass ? TSDB_CODE_SUCCESS : TSDB_CODE_PAR_PERMISSION_DENIED) : code;
67 68 69 70 71 72
}

static EDealRes authSubquery(SAuthCxt* pCxt, SNode* pStmt) {
  return TSDB_CODE_SUCCESS == authQuery(pCxt, pStmt) ? DEAL_RES_CONTINUE : DEAL_RES_ERROR;
}

X
Xiaoyu Wang 已提交
73
static int32_t mergeStableTagCond(SNode** pWhere, SNode* pTagCond) {
74 75 76 77 78 79 80
  SLogicConditionNode* pLogicCond = (SLogicConditionNode*)nodesMakeNode(QUERY_NODE_LOGIC_CONDITION);
  if (NULL == pLogicCond) {
    return TSDB_CODE_OUT_OF_MEMORY;
  }
  pLogicCond->node.resType.type = TSDB_DATA_TYPE_BOOL;
  pLogicCond->node.resType.bytes = tDataTypes[TSDB_DATA_TYPE_BOOL].bytes;
  pLogicCond->condType = LOGIC_COND_TYPE_AND;
X
Xiaoyu Wang 已提交
81
  int32_t code = nodesListMakeStrictAppend(&pLogicCond->pParameterList, pTagCond);
82 83 84 85 86 87 88 89 90 91 92
  if (TSDB_CODE_SUCCESS == code) {
    code = nodesListMakeAppend(&pLogicCond->pParameterList, *pWhere);
  }
  if (TSDB_CODE_SUCCESS == code) {
    *pWhere = (SNode*)pLogicCond;
  } else {
    nodesDestroyNode((SNode*)pLogicCond);
  }
  return code;
}

X
Xiaoyu Wang 已提交
93
static int32_t appendStableTagCond(SNode** pWhere, SNode* pTagCond) {
X
Xiaoyu Wang 已提交
94 95 96 97 98
  SNode* pTagCondCopy = nodesCloneNode(pTagCond);
  if (NULL == pTagCondCopy) {
    return TSDB_CODE_OUT_OF_MEMORY;
  }

X
Xiaoyu Wang 已提交
99
  if (NULL == *pWhere) {
X
Xiaoyu Wang 已提交
100
    *pWhere = pTagCondCopy;
101 102 103
    return TSDB_CODE_SUCCESS;
  }

X
Xiaoyu Wang 已提交
104 105
  if (QUERY_NODE_LOGIC_CONDITION == nodeType(*pWhere) &&
      LOGIC_COND_TYPE_AND == ((SLogicConditionNode*)*pWhere)->condType) {
X
Xiaoyu Wang 已提交
106
    return nodesListStrictAppend(((SLogicConditionNode*)*pWhere)->pParameterList, pTagCondCopy);
107 108
  }

X
Xiaoyu Wang 已提交
109
  return mergeStableTagCond(pWhere, pTagCondCopy);
110 111
}

112
static EDealRes authSelectImpl(SNode* pNode, void* pContext) {
113 114
  SSelectAuthCxt* pCxt = pContext;
  SAuthCxt*       pAuthCxt = pCxt->pAuthCxt;
115
  if (QUERY_NODE_REAL_TABLE == nodeType(pNode)) {
X
Xiaoyu Wang 已提交
116 117 118 119 120 121
    SNode*      pTagCond = NULL;
    STableNode* pTable = (STableNode*)pNode;
    pAuthCxt->errCode = checkAuth(pAuthCxt, pTable->dbName, pTable->tableName, AUTH_TYPE_READ, &pTagCond);
    if (TSDB_CODE_SUCCESS == pAuthCxt->errCode && NULL != pTagCond) {
      pAuthCxt->errCode = appendStableTagCond(&pCxt->pSelect->pWhere, pTagCond);
    }
122
    return TSDB_CODE_SUCCESS == pAuthCxt->errCode ? DEAL_RES_CONTINUE : DEAL_RES_ERROR;
123
  } else if (QUERY_NODE_TEMP_TABLE == nodeType(pNode)) {
124
    return authSubquery(pAuthCxt, ((STempTableNode*)pNode)->pSubquery);
125 126 127 128 129
  }
  return DEAL_RES_CONTINUE;
}

static int32_t authSelect(SAuthCxt* pCxt, SSelectStmt* pSelect) {
130 131
  SSelectAuthCxt cxt = {.pAuthCxt = pCxt, .pSelect = pSelect};
  nodesWalkSelectStmt(pSelect, SQL_CLAUSE_FROM, authSelectImpl, &cxt);
132 133 134
  return pCxt->errCode;
}

135 136 137 138 139 140 141 142
static int32_t authSetOperator(SAuthCxt* pCxt, SSetOperator* pSetOper) {
  int32_t code = authQuery(pCxt, pSetOper->pLeft);
  if (TSDB_CODE_SUCCESS == code) {
    code = authQuery(pCxt, pSetOper->pRight);
  }
  return code;
}

X
Xiaoyu Wang 已提交
143
static int32_t authDropUser(SAuthCxt* pCxt, SDropUserStmt* pStmt) {
X
Xiaoyu Wang 已提交
144
  if (!pCxt->pParseCxt->isSuperUser || 0 == strcmp(pStmt->userName, TSDB_DEFAULT_USER)) {
145 146 147 148 149
    return TSDB_CODE_PAR_PERMISSION_DENIED;
  }
  return TSDB_CODE_SUCCESS;
}

X
Xiaoyu Wang 已提交
150
static int32_t authDelete(SAuthCxt* pCxt, SDeleteStmt* pDelete) {
X
Xiaoyu Wang 已提交
151 152 153 154 155 156 157
  SNode*      pTagCond = NULL;
  STableNode* pTable = (STableNode*)pDelete->pFromTable;
  int32_t     code = checkAuth(pCxt, pTable->dbName, pTable->tableName, AUTH_TYPE_WRITE, &pTagCond);
  if (TSDB_CODE_SUCCESS == code && NULL != pTagCond) {
    code = appendStableTagCond(&pDelete->pWhere, pTagCond);
  }
  return code;
X
Xiaoyu Wang 已提交
158 159
}

160
static int32_t authInsert(SAuthCxt* pCxt, SInsertStmt* pInsert) {
X
Xiaoyu Wang 已提交
161 162 163 164
  SNode*      pTagCond = NULL;
  STableNode* pTable = (STableNode*)pInsert->pTable;
  // todo check tag condition for subtable
  int32_t code = checkAuth(pCxt, pTable->dbName, pTable->tableName, AUTH_TYPE_WRITE, &pTagCond);
165 166 167 168 169 170
  if (TSDB_CODE_SUCCESS == code) {
    code = authQuery(pCxt, pInsert->pQuery);
  }
  return code;
}

171
static int32_t authShowTables(SAuthCxt* pCxt, SShowStmt* pStmt) {
X
Xiaoyu Wang 已提交
172
  return checkAuth(pCxt, ((SValueNode*)pStmt->pDbName)->literal, NULL, AUTH_TYPE_READ_OR_WRITE, NULL);
173 174
}

175
static int32_t authShowCreateTable(SAuthCxt* pCxt, SShowCreateTableStmt* pStmt) {
X
Xiaoyu Wang 已提交
176 177
  SNode* pTagCond = NULL;
  // todo check tag condition for subtable
178
  return checkAuth(pCxt, pStmt->dbName, pStmt->tableName, AUTH_TYPE_READ, &pTagCond);
179 180
}

X
Xiaoyu Wang 已提交
181
static int32_t authCreateTable(SAuthCxt* pCxt, SCreateTableStmt* pStmt) {
X
Xiaoyu Wang 已提交
182 183 184
  SNode* pTagCond = NULL;
  // todo check tag condition for subtable
  return checkAuth(pCxt, pStmt->dbName, NULL, AUTH_TYPE_WRITE, &pTagCond);
X
Xiaoyu Wang 已提交
185 186
}

X
Xiaoyu Wang 已提交
187
static int32_t authCreateMultiTable(SAuthCxt* pCxt, SCreateMultiTablesStmt* pStmt) {
X
Xiaoyu Wang 已提交
188 189 190
  int32_t code = TSDB_CODE_SUCCESS;
  SNode*  pNode = NULL;
  FOREACH(pNode, pStmt->pSubTables) {
X
Xiaoyu Wang 已提交
191 192
    SCreateSubTableClause* pClause = (SCreateSubTableClause*)pNode;
    code = checkAuth(pCxt, pClause->dbName, NULL, AUTH_TYPE_WRITE, NULL);
X
Xiaoyu Wang 已提交
193 194 195 196 197 198 199
    if (TSDB_CODE_SUCCESS != code) {
      break;
    }
  }
  return code;
}

X
Xiaoyu Wang 已提交
200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222
static int32_t authDropTable(SAuthCxt* pCxt, SDropTableStmt* pStmt) {
  int32_t code = TSDB_CODE_SUCCESS;
  SNode*  pNode = NULL;
  FOREACH(pNode, pStmt->pTables) {
    SDropTableClause* pClause = (SDropTableClause*)pNode;
    code = checkAuth(pCxt, pClause->dbName, pClause->tableName, AUTH_TYPE_WRITE, NULL);
    if (TSDB_CODE_SUCCESS != code) {
      break;
    }
  }
  return code;
}

static int32_t authDropStable(SAuthCxt* pCxt, SDropSuperTableStmt* pStmt) {
  return checkAuth(pCxt, pStmt->dbName, pStmt->tableName, AUTH_TYPE_WRITE, NULL);
}

static int32_t authAlterTable(SAuthCxt* pCxt, SAlterTableStmt* pStmt) {
  SNode* pTagCond = NULL;
  // todo check tag condition for subtable
  return checkAuth(pCxt, pStmt->dbName, pStmt->tableName, AUTH_TYPE_WRITE, NULL);
}

223 224 225
static int32_t authQuery(SAuthCxt* pCxt, SNode* pStmt) {
  switch (nodeType(pStmt)) {
    case QUERY_NODE_SET_OPERATOR:
226
      return authSetOperator(pCxt, (SSetOperator*)pStmt);
227 228
    case QUERY_NODE_SELECT_STMT:
      return authSelect(pCxt, (SSelectStmt*)pStmt);
229
    case QUERY_NODE_DROP_USER_STMT:
X
Xiaoyu Wang 已提交
230
      return authDropUser(pCxt, (SDropUserStmt*)pStmt);
X
Xiaoyu Wang 已提交
231 232
    case QUERY_NODE_DELETE_STMT:
      return authDelete(pCxt, (SDeleteStmt*)pStmt);
233 234
    case QUERY_NODE_INSERT_STMT:
      return authInsert(pCxt, (SInsertStmt*)pStmt);
X
Xiaoyu Wang 已提交
235 236
    case QUERY_NODE_CREATE_TABLE_STMT:
      return authCreateTable(pCxt, (SCreateTableStmt*)pStmt);
X
Xiaoyu Wang 已提交
237 238
    case QUERY_NODE_CREATE_MULTI_TABLES_STMT:
      return authCreateMultiTable(pCxt, (SCreateMultiTablesStmt*)pStmt);
X
Xiaoyu Wang 已提交
239 240 241 242 243 244 245
    case QUERY_NODE_DROP_TABLE_STMT:
      return authDropTable(pCxt, (SDropTableStmt*)pStmt);
    case QUERY_NODE_DROP_SUPER_TABLE_STMT:
      return authDropStable(pCxt, (SDropSuperTableStmt*)pStmt);
    case QUERY_NODE_ALTER_TABLE_STMT:
    case QUERY_NODE_ALTER_SUPER_TABLE_STMT:
      return authAlterTable(pCxt, (SAlterTableStmt*)pStmt);
246 247 248 249 250 251 252 253 254
    case QUERY_NODE_SHOW_DNODES_STMT:
    case QUERY_NODE_SHOW_MNODES_STMT:
    case QUERY_NODE_SHOW_MODULES_STMT:
    case QUERY_NODE_SHOW_QNODES_STMT:
    case QUERY_NODE_SHOW_SNODES_STMT:
    case QUERY_NODE_SHOW_BNODES_STMT:
    case QUERY_NODE_SHOW_CLUSTER_STMT:
    case QUERY_NODE_SHOW_LICENCES_STMT:
    case QUERY_NODE_SHOW_VGROUPS_STMT:
255
    case QUERY_NODE_SHOW_DB_ALIVE_STMT:
256
    case QUERY_NODE_SHOW_CLUSTER_ALIVE_STMT:
257
    case QUERY_NODE_SHOW_CREATE_DATABASE_STMT:
258 259 260 261
    case QUERY_NODE_SHOW_TABLE_DISTRIBUTED_STMT:
    case QUERY_NODE_SHOW_VNODES_STMT:
    case QUERY_NODE_SHOW_SCORES_STMT:
      return !pCxt->pParseCxt->enableSysInfo ? TSDB_CODE_PAR_PERMISSION_DENIED : TSDB_CODE_SUCCESS;
262 263 264
    case QUERY_NODE_SHOW_TABLES_STMT:
    case QUERY_NODE_SHOW_STABLES_STMT:
      return authShowTables(pCxt, (SShowStmt*)pStmt);
265 266 267
    case QUERY_NODE_SHOW_CREATE_TABLE_STMT:
    case QUERY_NODE_SHOW_CREATE_STABLE_STMT:
      return authShowCreateTable(pCxt, (SShowCreateTableStmt*)pStmt);
268 269 270 271 272 273 274
    default:
      break;
  }

  return TSDB_CODE_SUCCESS;
}

275 276
int32_t authenticate(SParseContext* pParseCxt, SQuery* pQuery, SParseMetaCache* pMetaCache) {
  SAuthCxt cxt = {.pParseCxt = pParseCxt, .pMetaCache = pMetaCache, .errCode = TSDB_CODE_SUCCESS};
277 278
  return authQuery(&cxt, pQuery->pRoot);
}