feat: increase enable and sysinfo limits for user privilege

include/util/taoserror.h

@@ -132,7 +132,8 @@ int32_t* taosGetErrno();
 #define TSDB_CODE_MND_APP_ERROR                 TAOS_DEF_ERROR_CODE(0, 0x0300)
 #define TSDB_CODE_MND_NOT_READY                 TAOS_DEF_ERROR_CODE(0, 0x0301)
 #define TSDB_CODE_MND_NO_RIGHTS                 TAOS_DEF_ERROR_CODE(0, 0x0302)
-#define TSDB_CODE_MND_INVALID_CONNECTION        TAOS_DEF_ERROR_CODE(0, 0x0303)
+#define TSDB_CODE_MND_USER_DISABLED             TAOS_DEF_ERROR_CODE(0, 0x0303)
+#define TSDB_CODE_MND_INVALID_CONNECTION        TAOS_DEF_ERROR_CODE(0, 0x0304)
 
 // mnode-show
 #define TSDB_CODE_MND_INVALID_SHOWOBJ           TAOS_DEF_ERROR_CODE(0, 0x0310)

source/dnode/mnode/impl/inc/mndAuth.h

@@ -22,23 +22,42 @@
 extern "C" {
 #endif
 
+typedef enum {
+  MND_OPER_CREATE_USER = 1,
+  MND_OPER_DROP_USER,
+  MND_OPER_ALTER_USER,
+  MND_OPER_CREATE_BNODE,
+  MND_OPER_DROP_BNODE,
+  MND_OPER_CREATE_DNODE,
+  MND_OPER_DROP_DNODE,
+  MND_OPER_CREATE_MNODE,
+  MND_OPER_DROP_MNODE,
+  MND_OPER_CREATE_QNODE,
+  MND_OPER_DROP_QNODE,
+  MND_OPER_CREATE_SNODE,
+  MND_OPER_DROP_SNODE,
+  MND_OPER_REDISTRIBUTE_VGROUP,
+  MND_OPER_SPLIT_VGROUP,
+  MND_OPER_BALANCE_VGROUP,
+  MND_OPER_CREATE_FUNC,
+  MND_OPER_DROP_FUNC,
+  MND_OPER_KILL_TRANS,
+  MND_OPER_CREATE_DB,
+  MND_OPER_ALTER_DB,
+  MND_OPER_DROP_DB,
+  MND_OPER_COMPACT_DB,
+  MND_OPER_USE_DB,
+  MND_OPER_WRITE_DB,
+  MND_OPER_READ_DB,
+} EOperType;
+
 int32_t mndInitAuth(SMnode *pMnode);
 void    mndCleanupAuth(SMnode *pMnode);
 
-int32_t mndCheckCreateUserAuth(SUserObj *pOperUser);
+int32_t mndCheckOperAuth(SMnode *pMnode, const char *user, EOperType operType);
+int32_t mndCheckDbAuth(SMnode *pMnode, const char *user, EOperType operType, SDbObj *pDb);
+int32_t mndCheckShowAuth(SMnode *pMnode, const char *user, int32_t showType);
 int32_t mndCheckAlterUserAuth(SUserObj *pOperUser, SUserObj *pUser, SAlterUserReq *pAlter);
-int32_t mndCheckDropUserAuth(SUserObj *pOperUser);
-
-int32_t mndCheckNodeAuth(SUserObj *pOperUser);
-int32_t mndCheckFuncAuth(SUserObj *pOperUser);
-int32_t mndCheckTransAuth(SUserObj *pOperUser);
-
-int32_t mndCheckCreateDbAuth(SUserObj *pOperUser);
-int32_t mndCheckAlterDropCompactDbAuth(SUserObj *pOperUser, SDbObj *pDb);
-int32_t mndCheckUseDbAuth(SUserObj *pOperUser, SDbObj *pDb);
-
-int32_t mndCheckWriteAuth(SUserObj *pOperUser, SDbObj *pDb);
-int32_t mndCheckReadAuth(SUserObj *pOperUser, SDbObj *pDb);
 
 #ifdef __cplusplus
 }

source/dnode/mnode/impl/src/mndAuth.c

@@ -73,29 +73,44 @@ static int32_t mndProcessAuthReq(SRpcMsg *pReq) {
   return code;
 }
 
-int32_t mndCheckCreateUserAuth(SUserObj *pOperUser) {
-  if (pOperUser->superUser) return 0;
+int32_t mndCheckOperAuth(SMnode *pMnode, const char *user, EOperType operType) {
+  int32_t   code = 0;
+  SUserObj *pUser = mndAcquireUser(pMnode, user);
+
+  if (pUser == NULL) {
+    terrno = TSDB_CODE_MND_NO_USER_FROM_CONN;
+    code = -1;
+    goto _OVER;
+  }
+
+  if (pUser->superUser) {
+    goto _OVER;
+  }
+
+  if (!pUser->enable) {
+    terrno = TSDB_CODE_MND_USER_DISABLED;
+    code = -1;
+    goto _OVER;
+  }
+
   terrno = TSDB_CODE_MND_NO_RIGHTS;
-  return -1;
+  code = -1;
+
+_OVER:
+  mndReleaseUser(pMnode, pUser);
+  return code;
 }
 
 int32_t mndCheckAlterUserAuth(SUserObj *pOperUser, SUserObj *pUser, SAlterUserReq *pAlter) {
-  if (pAlter->alterType == TSDB_ALTER_USER_PASSWD) {
-    if (pOperUser->superUser || strcmp(pUser->user, pOperUser->user) == 0) {
-      return 0;
-    }
-  } else if (pAlter->alterType == TSDB_ALTER_USER_SUPERUSER) {
-    if (strcmp(pUser->user, TSDB_DEFAULT_USER) == 0) {
-      terrno = TSDB_CODE_MND_NO_RIGHTS;
-      return -1;
-    }
+  if (pOperUser->superUser) return 0;
+  if (!pOperUser->enable) {
+    terrno = TSDB_CODE_MND_USER_DISABLED;
+    return -1;
+  }
 
-    if (pOperUser->superUser) {
-      return 0;
-    }
-  } else {
-    if (pOperUser->superUser) {
-      return 0;
+  if (pAlter->alterType == TSDB_ALTER_USER_PASSWD) {
+    if (strcmp(pUser->user, pOperUser->user) == 0) {
+      if (pOperUser->sysInfo) return 0;
     }
   }
 
@@ -103,65 +118,92 @@ int32_t mndCheckAlterUserAuth(SUserObj *pOperUser, SUserObj *pUser, SAlterUserRe
   return -1;
 }
 
-int32_t mndCheckDropUserAuth(SUserObj *pOperUser) {
-  if (pOperUser->superUser) return 0;
-  terrno = TSDB_CODE_MND_NO_RIGHTS;
-  return -1;
-}
+int32_t mndCheckShowAuth(SMnode *pMnode, const char *user, int32_t showType) {
+  int32_t   code = 0;
+  SUserObj *pUser = mndAcquireUser(pMnode, user);
 
-int32_t mndCheckNodeAuth(SUserObj *pOperUser) {
-  if (pOperUser->superUser) return 0;
-  terrno = TSDB_CODE_MND_NO_RIGHTS;
-  return -1;
-}
+  if (pUser == NULL) {
+    code = -1;
+    goto _OVER;
+  }
 
-int32_t mndCheckFuncAuth(SUserObj *pOperUser) {
-  if (pOperUser->superUser) return 0;
-  terrno = TSDB_CODE_MND_NO_RIGHTS;
-  return -1;
-}
+  if (pUser->superUser) {
+    goto _OVER;
+  }
+
+  if (!pUser->enable) {
+    terrno = TSDB_CODE_MND_USER_DISABLED;
+    code = -1;
+    goto _OVER;
+  }
+
+  if (!pUser->sysInfo) {
+    terrno = TSDB_CODE_MND_NO_RIGHTS;
+    code = -1;
+    goto _OVER;
+  }
 
-int32_t mndCheckTransAuth(SUserObj *pOperUser) {
-  if (pOperUser->superUser) return 0;
   terrno = TSDB_CODE_MND_NO_RIGHTS;
-  return -1;
+  code = -1;
+
+_OVER:
+  mndReleaseUser(pMnode, pUser);
+  return code;
 }
 
-int32_t mndCheckCreateDbAuth(SUserObj *pOperUser) { return 0; }
+int32_t mndCheckDbAuth(SMnode *pMnode, const char *user, EOperType operType, SDbObj *pDb) {
+  int32_t   code = 0;
+  SUserObj *pUser = mndAcquireUser(pMnode, user);
 
-int32_t mndCheckAlterDropCompactDbAuth(SUserObj *pOperUser, SDbObj *pDb) {
-  if (pOperUser->superUser || strcmp(pOperUser->user, pDb->createUser) == 0) {
-    return 0;
+  if (pUser == NULL) {
+    code = -1;
+    goto _OVER;
   }
 
-  terrno = TSDB_CODE_MND_NO_RIGHTS;
-  return -1;
-}
+  if (pUser->superUser) goto _OVER;
 
-int32_t mndCheckUseDbAuth(SUserObj *pOperUser, SDbObj *pDb) { return 0; }
+  if (!pUser->enable) {
+    terrno = TSDB_CODE_MND_USER_DISABLED;
+    code = -1;
+    goto _OVER;
+  }
 
-int32_t mndCheckWriteAuth(SUserObj *pOperUser, SDbObj *pDb) {
-  if (pOperUser->superUser || strcmp(pOperUser->user, pDb->createUser) == 0) {
-    return 0;
+  if (operType == MND_OPER_CREATE_DB) {
+    if (pUser->sysInfo) goto _OVER;
   }
 
-  if (taosHashGet(pOperUser->writeDbs, pDb->name, strlen(pDb->name) + 1) != NULL) {
-    return 0;
+  if (operType == MND_OPER_ALTER_DB) {
+    if (strcmp(pUser->user, pDb->createUser) == 0 && pUser->sysInfo) goto _OVER;
   }
 
-  terrno = TSDB_CODE_MND_NO_RIGHTS;
-  return -1;
-}
+  if (operType == MND_OPER_DROP_DB) {
+    if (strcmp(pUser->user, pDb->createUser) == 0 && pUser->sysInfo) goto _OVER;
+  }
 
-int32_t mndCheckReadAuth(SUserObj *pOperUser, SDbObj *pDb) {
-  if (pOperUser->superUser || strcmp(pOperUser->user, pDb->createUser) == 0) {
-    return 0;
+  if (operType == MND_OPER_COMPACT_DB) {
+    if (strcmp(pUser->user, pDb->createUser) == 0 && pUser->sysInfo) goto _OVER;
   }
 
-  if (taosHashGet(pOperUser->readDbs, pDb->name, strlen(pDb->name) + 1) != NULL) {
-    return 0;
+  if (operType == MND_OPER_USE_DB) {
+    if (strcmp(pUser->user, pDb->createUser) == 0) goto _OVER;
+    if (taosHashGet(pUser->readDbs, pDb->name, strlen(pDb->name) + 1) != NULL) goto _OVER;
+    if (taosHashGet(pUser->writeDbs, pDb->name, strlen(pDb->name) + 1) != NULL) goto _OVER;
+  }
+
+  if (operType == MND_OPER_WRITE_DB) {
+    if (strcmp(pUser->user, pDb->createUser) == 0) goto _OVER;
+    if (taosHashGet(pUser->writeDbs, pDb->name, strlen(pDb->name) + 1) != NULL) goto _OVER;
+  }
+
+  if (operType == MND_OPER_READ_DB) {
+    if (strcmp(pUser->user, pDb->createUser) == 0) goto _OVER;
+    if (taosHashGet(pUser->readDbs, pDb->name, strlen(pDb->name) + 1) != NULL) goto _OVER;
   }
 
   terrno = TSDB_CODE_MND_NO_RIGHTS;
-  return -1;
+  code = -1;
+
+_OVER:
+  mndReleaseUser(pMnode, pUser);
+  return code;
 }

source/dnode/mnode/impl/src/mndBnode.c

@@ -269,7 +269,6 @@ static int32_t mndProcessCreateBnodeReq(SRpcMsg *pReq) {
   int32_t          code = -1;
   SBnodeObj       *pObj = NULL;
   SDnodeObj       *pDnode = NULL;
-  SUserObj        *pUser = NULL;
   SMCreateBnodeReq createReq = {0};
 
   if (tDeserializeSCreateDropMQSBNodeReq(pReq->pCont, pReq->contLen, &createReq) != 0) {
@@ -293,13 +292,7 @@ static int32_t mndProcessCreateBnodeReq(SRpcMsg *pReq) {
     goto _OVER;
   }
 
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    terrno = TSDB_CODE_MND_NO_USER_FROM_CONN;
-    goto _OVER;
-  }
-
-  if (mndCheckNodeAuth(pUser) != 0) {
+  if (mndCheckOperAuth(pMnode, pReq->conn.user, MND_OPER_CREATE_BNODE) != 0) {
     goto _OVER;
   }
 
@@ -313,7 +306,6 @@ _OVER:
 
   mndReleaseBnode(pMnode, pObj);
   mndReleaseDnode(pMnode, pDnode);
-  mndReleaseUser(pMnode, pUser);
   return code;
 }
 
@@ -382,7 +374,6 @@ _OVER:
 static int32_t mndProcessDropBnodeReq(SRpcMsg *pReq) {
   SMnode        *pMnode = pReq->info.node;
   int32_t        code = -1;
-  SUserObj      *pUser = NULL;
   SBnodeObj     *pObj = NULL;
   SMDropBnodeReq dropReq = {0};
 
@@ -403,13 +394,7 @@ static int32_t mndProcessDropBnodeReq(SRpcMsg *pReq) {
     goto _OVER;
   }
 
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    terrno = TSDB_CODE_MND_NO_USER_FROM_CONN;
-    goto _OVER;
-  }
-
-  if (mndCheckNodeAuth(pUser) != 0) {
+  if (mndCheckOperAuth(pMnode, pReq->conn.user, MND_OPER_DROP_BNODE) != 0) {
     goto _OVER;
   }
 
@@ -422,8 +407,6 @@ _OVER:
   }
 
   mndReleaseBnode(pMnode, pObj);
-  mndReleaseUser(pMnode, pUser);
-
   return code;
 }
 

source/dnode/mnode/impl/src/mndDb.c

@@ -526,7 +526,7 @@ static int32_t mndProcessCreateDbReq(SRpcMsg *pReq) {
     goto _OVER;
   }
 
-  if (mndCheckCreateDbAuth(pUser) != 0) {
+  if (mndCheckDbAuth(pMnode, pReq->conn.user, MND_OPER_CREATE_DB, NULL) != 0) {
     goto _OVER;
   }
 
@@ -684,7 +684,6 @@ static int32_t mndProcessAlterDbReq(SRpcMsg *pReq) {
   SMnode     *pMnode = pReq->info.node;
   int32_t     code = -1;
   SDbObj     *pDb = NULL;
-  SUserObj   *pUser = NULL;
   SAlterDbReq alterReq = {0};
   SDbObj      dbObj = {0};
 
@@ -701,12 +700,7 @@ static int32_t mndProcessAlterDbReq(SRpcMsg *pReq) {
     goto _OVER;
   }
 
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    goto _OVER;
-  }
-
-  if (mndCheckAlterDropCompactDbAuth(pUser, pDb) != 0) {
+  if (mndCheckDbAuth(pMnode, pReq->conn.user, MND_OPER_ALTER_DB, pDb) != 0) {
     goto _OVER;
   }
 
@@ -733,7 +727,6 @@ _OVER:
   }
 
   mndReleaseDb(pMnode, pDb);
-  mndReleaseUser(pMnode, pUser);
   taosArrayDestroy(dbObj.cfg.pRetensions);
 
   return code;
@@ -967,7 +960,6 @@ static int32_t mndProcessDropDbReq(SRpcMsg *pReq) {
   SMnode    *pMnode = pReq->info.node;
   int32_t    code = -1;
   SDbObj    *pDb = NULL;
-  SUserObj  *pUser = NULL;
   SDropDbReq dropReq = {0};
 
   if (tDeserializeSDropDbReq(pReq->pCont, pReq->contLen, &dropReq) != 0) {
@@ -988,12 +980,7 @@ static int32_t mndProcessDropDbReq(SRpcMsg *pReq) {
     }
   }
 
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    goto _OVER;
-  }
-
-  if (mndCheckAlterDropCompactDbAuth(pUser, pDb) != 0) {
+  if (mndCheckDbAuth(pMnode, pReq->conn.user, MND_OPER_DROP_DB, pDb) != 0) {
     goto _OVER;
   }
 
@@ -1006,8 +993,6 @@ _OVER:
   }
 
   mndReleaseDb(pMnode, pDb);
-  mndReleaseUser(pMnode, pUser);
-
   return code;
 }
 
@@ -1103,7 +1088,6 @@ static int32_t mndProcessUseDbReq(SRpcMsg *pReq) {
   SMnode   *pMnode = pReq->info.node;
   int32_t   code = -1;
   SDbObj   *pDb = NULL;
-  SUserObj *pUser = NULL;
   SUseDbReq usedbReq = {0};
   SUseDbRsp usedbRsp = {0};
 
@@ -1143,12 +1127,7 @@ static int32_t mndProcessUseDbReq(SRpcMsg *pReq) {
 
       mError("db:%s, failed to process use db req since %s", usedbReq.db, terrstr());
     } else {
-      pUser = mndAcquireUser(pMnode, pReq->conn.user);
-      if (pUser == NULL) {
-        goto _OVER;
-      }
-
-      if (mndCheckUseDbAuth(pUser, pDb) != 0) {
+      if (mndCheckDbAuth(pMnode, pReq->conn.user, MND_OPER_USE_DB, pDb) != 0) {
         goto _OVER;
       }
 
@@ -1179,7 +1158,6 @@ _OVER:
   }
 
   mndReleaseDb(pMnode, pDb);
-  mndReleaseUser(pMnode, pUser);
   tFreeSUsedbRsp(&usedbRsp);
 
   return code;
@@ -1260,7 +1238,6 @@ static int32_t mndProcessCompactDbReq(SRpcMsg *pReq) {
   SMnode       *pMnode = pReq->info.node;
   int32_t       code = -1;
   SDbObj       *pDb = NULL;
-  SUserObj     *pUser = NULL;
   SCompactDbReq compactReq = {0};
 
   if (tDeserializeSCompactDbReq(pReq->pCont, pReq->contLen, &compactReq) != 0) {
@@ -1275,12 +1252,7 @@ static int32_t mndProcessCompactDbReq(SRpcMsg *pReq) {
     goto _OVER;
   }
 
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    goto _OVER;
-  }
-
-  if (mndCheckAlterDropCompactDbAuth(pUser, pDb) != 0) {
+  if (mndCheckDbAuth(pMnode, pReq->conn.user, MND_OPER_COMPACT_DB, pDb) != 0) {
     goto _OVER;
   }
 
@@ -1292,8 +1264,6 @@ _OVER:
   }
 
   mndReleaseDb(pMnode, pDb);
-  mndReleaseUser(pMnode, pUser);
-
   return code;
 }
 

source/dnode/mnode/impl/src/mndDnode.c

@@ -499,7 +499,6 @@ _OVER:
 static int32_t mndProcessCreateDnodeReq(SRpcMsg *pReq) {
   SMnode         *pMnode = pReq->info.node;
   int32_t         code = -1;
-  SUserObj       *pUser = NULL;
   SDnodeObj      *pDnode = NULL;
   SCreateDnodeReq createReq = {0};
 
@@ -522,13 +521,7 @@ static int32_t mndProcessCreateDnodeReq(SRpcMsg *pReq) {
     goto _OVER;
   }
 
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    terrno = TSDB_CODE_MND_NO_USER_FROM_CONN;
-    goto _OVER;
-  }
-
-  if (mndCheckNodeAuth(pUser) != 0) {
+  if (mndCheckOperAuth(pMnode, pReq->conn.user, MND_OPER_CREATE_DNODE) != 0) {
     goto _OVER;
   }
 
@@ -541,7 +534,6 @@ _OVER:
   }
 
   mndReleaseDnode(pMnode, pDnode);
-  mndReleaseUser(pMnode, pUser);
   return code;
 }
 
@@ -586,7 +578,6 @@ _OVER:
 static int32_t mndProcessDropDnodeReq(SRpcMsg *pReq) {
   SMnode        *pMnode = pReq->info.node;
   int32_t        code = -1;
-  SUserObj      *pUser = NULL;
   SDnodeObj     *pDnode = NULL;
   SMnodeObj     *pMObj = NULL;
   SMDropMnodeReq dropReq = {0};
@@ -631,13 +622,7 @@ static int32_t mndProcessDropDnodeReq(SRpcMsg *pReq) {
     }
   }
 
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    terrno = TSDB_CODE_MND_NO_USER_FROM_CONN;
-    goto _OVER;
-  }
-
-  if (mndCheckNodeAuth(pUser) != 0) {
+  if (mndCheckOperAuth(pMnode, pReq->conn.user, MND_OPER_DROP_MNODE) != 0) {
     goto _OVER;
   }
 
@@ -650,7 +635,6 @@ _OVER:
   }
 
   mndReleaseDnode(pMnode, pDnode);
-  mndReleaseUser(pMnode, pUser);
   mndReleaseMnode(pMnode, pMObj);
   return code;
 }

source/dnode/mnode/impl/src/mndFunc.c

@@ -274,7 +274,6 @@ _OVER:
 static int32_t mndProcessCreateFuncReq(SRpcMsg *pReq) {
   SMnode        *pMnode = pReq->info.node;
   int32_t        code = -1;
-  SUserObj      *pUser = NULL;
   SFuncObj      *pFunc = NULL;
   SCreateFuncReq createReq = {0};
 
@@ -309,23 +308,17 @@ static int32_t mndProcessCreateFuncReq(SRpcMsg *pReq) {
     goto _OVER;
   }
 
- if (createReq.codeLen <= 1) {
-   terrno = TSDB_CODE_MND_INVALID_FUNC_CODE;
-   goto _OVER;
- }
-
-  if (createReq.bufSize < 0 || createReq.bufSize > TSDB_FUNC_BUF_SIZE) {
-    terrno = TSDB_CODE_MND_INVALID_FUNC_BUFSIZE;
+  if (createReq.codeLen <= 1) {
+    terrno = TSDB_CODE_MND_INVALID_FUNC_CODE;
     goto _OVER;
   }
 
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    terrno = TSDB_CODE_MND_NO_USER_FROM_CONN;
+  if (createReq.bufSize < 0 || createReq.bufSize > TSDB_FUNC_BUF_SIZE) {
+    terrno = TSDB_CODE_MND_INVALID_FUNC_BUFSIZE;
     goto _OVER;
   }
 
-  if (mndCheckFuncAuth(pUser)) {
+  if (mndCheckOperAuth(pMnode, pReq->conn.user, MND_OPER_CREATE_FUNC) != 0) {
     goto _OVER;
   }
 
@@ -338,16 +331,13 @@ _OVER:
   }
 
   mndReleaseFunc(pMnode, pFunc);
-  mndReleaseUser(pMnode, pUser);
   tFreeSCreateFuncReq(&createReq);
-
   return code;
 }
 
 static int32_t mndProcessDropFuncReq(SRpcMsg *pReq) {
   SMnode      *pMnode = pReq->info.node;
   int32_t      code = -1;
-  SUserObj    *pUser = NULL;
   SFuncObj    *pFunc = NULL;
   SDropFuncReq dropReq = {0};
 
@@ -375,13 +365,7 @@ static int32_t mndProcessDropFuncReq(SRpcMsg *pReq) {
     }
   }
 
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    terrno = TSDB_CODE_MND_NO_USER_FROM_CONN;
-    goto _OVER;
-  }
-
-  if (mndCheckFuncAuth(pUser)) {
+  if (mndCheckOperAuth(pMnode, pReq->conn.user, MND_OPER_DROP_FUNC) != 0) {
     goto _OVER;
   }
 
@@ -394,8 +378,6 @@ _OVER:
   }
 
   mndReleaseFunc(pMnode, pFunc);
-  mndReleaseUser(pMnode, pUser);
-
   return code;
 }
 

source/dnode/mnode/impl/src/mndMnode.c

@@ -381,7 +381,6 @@ static int32_t mndProcessCreateMnodeReq(SRpcMsg *pReq) {
   int32_t          code = -1;
   SMnodeObj       *pObj = NULL;
   SDnodeObj       *pDnode = NULL;
-  SUserObj        *pUser = NULL;
   SMCreateMnodeReq createReq = {0};
 
   if (tDeserializeSCreateDropMQSBNodeReq(pReq->pCont, pReq->contLen, &createReq) != 0) {
@@ -415,13 +414,7 @@ static int32_t mndProcessCreateMnodeReq(SRpcMsg *pReq) {
     goto _OVER;
   }
 
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    terrno = TSDB_CODE_MND_NO_USER_FROM_CONN;
-    goto _OVER;
-  }
-
-  if (mndCheckNodeAuth(pUser) != 0) {
+  if (mndCheckOperAuth(pMnode, pReq->conn.user, MND_OPER_CREATE_MNODE) != 0) {
     goto _OVER;
   }
 
@@ -435,7 +428,6 @@ _OVER:
 
   mndReleaseMnode(pMnode, pObj);
   mndReleaseDnode(pMnode, pDnode);
-  mndReleaseUser(pMnode, pUser);
 
   return code;
 }
@@ -594,7 +586,6 @@ _OVER:
 static int32_t mndProcessDropMnodeReq(SRpcMsg *pReq) {
   SMnode        *pMnode = pReq->info.node;
   int32_t        code = -1;
-  SUserObj      *pUser = NULL;
   SMnodeObj     *pObj = NULL;
   SMDropMnodeReq dropReq = {0};
 
@@ -630,13 +621,7 @@ static int32_t mndProcessDropMnodeReq(SRpcMsg *pReq) {
     goto _OVER;
   }
 
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    terrno = TSDB_CODE_MND_NO_USER_FROM_CONN;
-    goto _OVER;
-  }
-
-  if (mndCheckNodeAuth(pUser) != 0) {
+  if (mndCheckOperAuth(pMnode, pReq->conn.user, MND_OPER_DROP_MNODE) != 0) {
     goto _OVER;
   }
 
@@ -649,8 +634,6 @@ _OVER:
   }
 
   mndReleaseMnode(pMnode, pObj);
-  mndReleaseUser(pMnode, pUser);
-
   return code;
 }
 

source/dnode/mnode/impl/src/mndQnode.c

@@ -271,7 +271,6 @@ static int32_t mndProcessCreateQnodeReq(SRpcMsg *pReq) {
   int32_t          code = -1;
   SQnodeObj       *pObj = NULL;
   SDnodeObj       *pDnode = NULL;
-  SUserObj        *pUser = NULL;
   SMCreateQnodeReq createReq = {0};
 
   if (tDeserializeSCreateDropMQSBNodeReq(pReq->pCont, pReq->contLen, &createReq) != 0) {
@@ -295,13 +294,7 @@ static int32_t mndProcessCreateQnodeReq(SRpcMsg *pReq) {
     goto _OVER;
   }
 
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    terrno = TSDB_CODE_MND_NO_USER_FROM_CONN;
-    goto _OVER;
-  }
-
-  if (mndCheckNodeAuth(pUser) != 0) {
+  if (mndCheckOperAuth(pMnode, pReq->conn.user, MND_OPER_CREATE_QNODE) != 0) {
     goto _OVER;
   }
 
@@ -315,7 +308,6 @@ _OVER:
 
   mndReleaseQnode(pMnode, pObj);
   mndReleaseDnode(pMnode, pDnode);
-  mndReleaseUser(pMnode, pUser);
   return code;
 }
 
@@ -384,7 +376,6 @@ _OVER:
 static int32_t mndProcessDropQnodeReq(SRpcMsg *pReq) {
   SMnode        *pMnode = pReq->info.node;
   int32_t        code = -1;
-  SUserObj      *pUser = NULL;
   SQnodeObj     *pObj = NULL;
   SMDropQnodeReq dropReq = {0};
 
@@ -405,13 +396,7 @@ static int32_t mndProcessDropQnodeReq(SRpcMsg *pReq) {
     goto _OVER;
   }
 
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    terrno = TSDB_CODE_MND_NO_USER_FROM_CONN;
-    goto _OVER;
-  }
-
-  if (mndCheckNodeAuth(pUser) != 0) {
+  if (mndCheckOperAuth(pMnode, pReq->conn.user, MND_OPER_DROP_QNODE) != 0) {
     goto _OVER;
   }
 
@@ -424,8 +409,6 @@ _OVER:
   }
 
   mndReleaseQnode(pMnode, pObj);
-  mndReleaseUser(pMnode, pUser);
-
   return code;
 }
 

source/dnode/mnode/impl/src/mndShow.c

@@ -16,6 +16,7 @@
 #define _DEFAULT_SOURCE
 #include "mndShow.h"
 #include "systable.h"
+#include "mndAuth.h"
 
 #define SHOW_STEP_SIZE 100
 
@@ -228,6 +229,8 @@ static int32_t mndProcessRetrieveSysTableReq(SRpcMsg *pReq) {
 
   mDebug("show:0x%" PRIx64 ", start retrieve data, type:%d", pShow->id, pShow->type);
 
+  // if (mndCheckShowAuth(pMnode, pReq->conn.user, pShow->type) != 0) return -1;
+
   int32_t      numOfCols = pShow->pMeta->numOfColumns;
   SSDataBlock *pBlock = taosMemoryCalloc(1, sizeof(SSDataBlock));
   pBlock->pDataBlock = taosArrayInit(numOfCols, sizeof(SColumnInfoData));

source/dnode/mnode/impl/src/mndSma.c

@@ -628,7 +628,6 @@ static int32_t mndProcessCreateSmaReq(SRpcMsg *pReq) {
   SSmaObj       *pSma = NULL;
   SStreamObj    *pStream = NULL;
   SDbObj        *pDb = NULL;
-  SUserObj      *pUser = NULL;
   SMCreateSmaReq createReq = {0};
 
   if (tDeserializeSMCreateSmaReq(pReq->pCont, pReq->contLen, &createReq) != 0) {
@@ -672,12 +671,7 @@ static int32_t mndProcessCreateSmaReq(SRpcMsg *pReq) {
     goto _OVER;
   }
 
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    goto _OVER;
-  }
-
-  if (mndCheckWriteAuth(pUser, pDb) != 0) {
+  if (mndCheckDbAuth(pMnode, pReq->conn.user, MND_OPER_WRITE_DB, pDb) != 0) {
     goto _OVER;
   }
 
@@ -693,7 +687,6 @@ _OVER:
   mndReleaseSma(pMnode, pSma);
   mndReleaseStream(pMnode, pStream);
   mndReleaseDb(pMnode, pDb);
-  mndReleaseUser(pMnode, pUser);
   tFreeSMCreateSmaReq(&createReq);
 
   return code;
@@ -908,7 +901,6 @@ _OVER:
 static int32_t mndProcessDropSmaReq(SRpcMsg *pReq) {
   SMnode      *pMnode = pReq->info.node;
   int32_t      code = -1;
-  SUserObj    *pUser = NULL;
   SDbObj      *pDb = NULL;
   SSmaObj     *pSma = NULL;
   SMDropSmaReq dropReq = {0};
@@ -938,12 +930,7 @@ static int32_t mndProcessDropSmaReq(SRpcMsg *pReq) {
     goto _OVER;
   }
 
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    goto _OVER;
-  }
-
-  if (mndCheckWriteAuth(pUser, pDb) != 0) {
+  if (mndCheckDbAuth(pMnode, pReq->conn.user, MND_OPER_WRITE_DB, pDb) != 0) {
     goto _OVER;
   }
 
@@ -956,9 +943,6 @@ _OVER:
   }
 
   mndReleaseDb(pMnode, pDb);
-  mndReleaseSma(pMnode, pSma);
-  mndReleaseUser(pMnode, pUser);
-
   return code;
 }
 

source/dnode/mnode/impl/src/mndSnode.c

@@ -277,7 +277,6 @@ static int32_t mndProcessCreateSnodeReq(SRpcMsg *pReq) {
   int32_t          code = -1;
   SSnodeObj       *pObj = NULL;
   SDnodeObj       *pDnode = NULL;
-  SUserObj        *pUser = NULL;
   SMCreateSnodeReq createReq = {0};
 
   if (tDeserializeSCreateDropMQSBNodeReq(pReq->pCont, pReq->contLen, &createReq) != 0) {
@@ -301,13 +300,7 @@ static int32_t mndProcessCreateSnodeReq(SRpcMsg *pReq) {
     goto _OVER;
   }
 
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    terrno = TSDB_CODE_MND_NO_USER_FROM_CONN;
-    goto _OVER;
-  }
-
-  if (mndCheckNodeAuth(pUser) != 0) {
+  if (mndCheckOperAuth(pMnode, pReq->conn.user, MND_OPER_CREATE_SNODE) != 0) {
     goto _OVER;
   }
 
@@ -322,7 +315,6 @@ _OVER:
 
   mndReleaseSnode(pMnode, pObj);
   mndReleaseDnode(pMnode, pDnode);
-  mndReleaseUser(pMnode, pUser);
   return code;
 }
 
@@ -392,7 +384,6 @@ _OVER:
 static int32_t mndProcessDropSnodeReq(SRpcMsg *pReq) {
   SMnode        *pMnode = pReq->info.node;
   int32_t        code = -1;
-  SUserObj      *pUser = NULL;
   SSnodeObj     *pObj = NULL;
   SMDropSnodeReq dropReq = {0};
 
@@ -413,13 +404,7 @@ static int32_t mndProcessDropSnodeReq(SRpcMsg *pReq) {
     goto _OVER;
   }
 
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    terrno = TSDB_CODE_MND_NO_USER_FROM_CONN;
-    goto _OVER;
-  }
-
-  if (mndCheckNodeAuth(pUser) != 0) {
+  if (mndCheckOperAuth(pMnode, pReq->conn.user, MND_OPER_DROP_SNODE) != 0) {
     goto _OVER;
   }
 
@@ -432,8 +417,6 @@ _OVER:
   }
 
   mndReleaseSnode(pMnode, pObj);
-  mndReleaseUser(pMnode, pUser);
-
   return code;
 }
 

source/dnode/mnode/impl/src/mndStb.c

@@ -769,7 +769,6 @@ static int32_t mndProcessCreateStbReq(SRpcMsg *pReq) {
   int32_t        code = -1;
   SStbObj       *pStb = NULL;
   SDbObj        *pDb = NULL;
-  SUserObj      *pUser = NULL;
   SMCreateStbReq createReq = {0};
 
   if (tDeserializeSMCreateStbReq(pReq->pCont, pReq->contLen, &createReq) != 0) {
@@ -803,12 +802,7 @@ static int32_t mndProcessCreateStbReq(SRpcMsg *pReq) {
     goto _OVER;
   }
 
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    goto _OVER;
-  }
-
-  if (mndCheckWriteAuth(pUser, pDb) != 0) {
+  if (mndCheckDbAuth(pMnode, pReq->conn.user, MND_OPER_WRITE_DB, pDb) != 0) {
     goto _OVER;
   }
 
@@ -832,7 +826,6 @@ _OVER:
 
   mndReleaseStb(pMnode, pStb);
   mndReleaseDb(pMnode, pDb);
-  mndReleaseUser(pMnode, pUser);
   tFreeSMCreateStbReq(&createReq);
 
   return code;
@@ -1427,7 +1420,6 @@ static int32_t mndProcessAlterStbReq(SRpcMsg *pReq) {
   int32_t       code = -1;
   SDbObj       *pDb = NULL;
   SStbObj      *pStb = NULL;
-  SUserObj     *pUser = NULL;
   SMAlterStbReq alterReq = {0};
 
   if (tDeserializeSMAlterStbReq(pReq->pCont, pReq->contLen, &alterReq) != 0) {
@@ -1458,12 +1450,7 @@ static int32_t mndProcessAlterStbReq(SRpcMsg *pReq) {
     goto _OVER;
   }
 
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    goto _OVER;
-  }
-
-  if (mndCheckWriteAuth(pUser, pDb) != 0) {
+  if (mndCheckDbAuth(pMnode, pReq->conn.user, MND_OPER_WRITE_DB, pDb) != 0) {
     goto _OVER;
   }
 
@@ -1477,7 +1464,6 @@ _OVER:
 
   mndReleaseStb(pMnode, pStb);
   mndReleaseDb(pMnode, pDb);
-  mndReleaseUser(pMnode, pUser);
   taosArrayDestroy(alterReq.pFields);
 
   return code;
@@ -1565,7 +1551,6 @@ _OVER:
 static int32_t mndProcessDropStbReq(SRpcMsg *pReq) {
   SMnode      *pMnode = pReq->info.node;
   int32_t      code = -1;
-  SUserObj    *pUser = NULL;
   SDbObj      *pDb = NULL;
   SStbObj     *pStb = NULL;
   SMDropStbReq dropReq = {0};
@@ -1595,12 +1580,7 @@ static int32_t mndProcessDropStbReq(SRpcMsg *pReq) {
     goto _OVER;
   }
 
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    goto _OVER;
-  }
-
-  if (mndCheckWriteAuth(pUser, pDb) != 0) {
+  if (mndCheckDbAuth(pMnode, pReq->conn.user, MND_OPER_WRITE_DB, pDb) != 0) {
     goto _OVER;
   }
 
@@ -1614,8 +1594,6 @@ _OVER:
 
   mndReleaseDb(pMnode, pDb);
   mndReleaseStb(pMnode, pStb);
-  mndReleaseUser(pMnode, pUser);
-
   return code;
 }
 

source/dnode/mnode/impl/src/mndStream.c

@@ -293,7 +293,6 @@ int32_t mndAddStreamToTrans(SMnode *pMnode, SStreamObj *pStream, const char *ast
 static int32_t mndCreateStbForStream(SMnode *pMnode, STrans *pTrans, const SStreamObj *pStream, const char *user) {
   SStbObj  *pStb = NULL;
   SDbObj   *pDb = NULL;
-  SUserObj *pUser = NULL;
 
   SMCreateStbReq createReq = {0};
   tstrncpy(createReq.name, pStream->targetSTbName, TSDB_TABLE_FNAME_LEN);
@@ -335,12 +334,8 @@ static int32_t mndCreateStbForStream(SMnode *pMnode, STrans *pTrans, const SStre
     goto _OVER;
   }
 
-  pUser = mndAcquireUser(pMnode, user);
-  if (pUser == NULL) {
-    goto _OVER;
-  }
 
-  if (mndCheckWriteAuth(pUser, pDb) != 0) {
+  if (mndCheckDbAuth(pMnode, user, MND_OPER_WRITE_DB, pDb) != 0) {
     goto _OVER;
   }
 
@@ -368,7 +363,6 @@ static int32_t mndCreateStbForStream(SMnode *pMnode, STrans *pTrans, const SStre
 _OVER:
   mndReleaseStb(pMnode, pStb);
   mndReleaseDb(pMnode, pDb);
-  mndReleaseUser(pMnode, pUser);
   return -1;
 }
 
@@ -436,19 +430,18 @@ static int32_t mndProcessCreateStreamReq(SRpcMsg *pReq) {
   int32_t            code = -1;
   SStreamObj        *pStream = NULL;
   SDbObj            *pDb = NULL;
-  SUserObj          *pUser = NULL;
   SCMCreateStreamReq createStreamReq = {0};
 
   if (tDeserializeSCMCreateStreamReq(pReq->pCont, pReq->contLen, &createStreamReq) != 0) {
     terrno = TSDB_CODE_INVALID_MSG;
-    goto CREATE_STREAM_OVER;
+    goto _OVER;
   }
 
   mDebug("stream:%s, start to create, sql:%s", createStreamReq.name, createStreamReq.sql);
 
   if (mndCheckCreateStreamReq(&createStreamReq) != 0) {
     mError("stream:%s, failed to create since %s", createStreamReq.name, terrstr());
-    goto CREATE_STREAM_OVER;
+    goto _OVER;
   }
 
   pStream = mndAcquireStream(pMnode, createStreamReq.name);
@@ -456,41 +449,35 @@ static int32_t mndProcessCreateStreamReq(SRpcMsg *pReq) {
     if (createStreamReq.igExists) {
       mDebug("stream:%s, already exist, ignore exist is set", createStreamReq.name);
       code = 0;
-      goto CREATE_STREAM_OVER;
+      goto _OVER;
     } else {
       terrno = TSDB_CODE_MND_STREAM_ALREADY_EXIST;
-      goto CREATE_STREAM_OVER;
+      goto _OVER;
     }
   } else if (terrno != TSDB_CODE_MND_STREAM_NOT_EXIST) {
-    goto CREATE_STREAM_OVER;
+    goto _OVER;
   }
 
   pDb = mndAcquireDb(pMnode, createStreamReq.sourceDB);
   if (pDb == NULL) {
     terrno = TSDB_CODE_MND_DB_NOT_SELECTED;
-    goto CREATE_STREAM_OVER;
-  }
-
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    goto CREATE_STREAM_OVER;
+    goto _OVER;
   }
 
-  if (mndCheckWriteAuth(pUser, pDb) != 0) {
-    goto CREATE_STREAM_OVER;
+  if (mndCheckDbAuth(pMnode, pReq->conn.user, MND_OPER_WRITE_DB, pDb) != 0) {
+    goto _OVER;
   }
 
   code = mndCreateStream(pMnode, pReq, &createStreamReq, pDb);
   if (code == 0) code = TSDB_CODE_ACTION_IN_PROGRESS;
 
-CREATE_STREAM_OVER:
+_OVER:
   if (code != 0 && code != TSDB_CODE_ACTION_IN_PROGRESS) {
     mError("stream:%s, failed to create since %s", createStreamReq.name, terrstr());
   }
 
   mndReleaseStream(pMnode, pStream);
   mndReleaseDb(pMnode, pDb);
-  mndReleaseUser(pMnode, pUser);
 
   tFreeSCMCreateStreamReq(&createStreamReq);
   return code;

source/dnode/mnode/impl/src/mndTopic.c

@@ -387,7 +387,7 @@ static int32_t mndCreateTopic(SMnode *pMnode, SRpcMsg *pReq, SCMCreateTopicReq *
       return -1;
     }
 
-    if (nodesNodeToString((SNode*)pPlan, false, &topicObj.physicalPlan, NULL) != 0) {
+    if (nodesNodeToString((SNode *)pPlan, false, &topicObj.physicalPlan, NULL) != 0) {
       mError("topic:%s, failed to create since %s", pCreate->name, terrstr());
       taosMemoryFree(topicObj.ast);
       taosMemoryFree(topicObj.sql);
@@ -440,19 +440,18 @@ static int32_t mndProcessCreateTopicReq(SRpcMsg *pReq) {
   int32_t           code = -1;
   SMqTopicObj      *pTopic = NULL;
   SDbObj           *pDb = NULL;
-  SUserObj         *pUser = NULL;
   SCMCreateTopicReq createTopicReq = {0};
 
   if (tDeserializeSCMCreateTopicReq(pReq->pCont, pReq->contLen, &createTopicReq) != 0) {
     terrno = TSDB_CODE_INVALID_MSG;
-    goto CREATE_TOPIC_OVER;
+    goto _OVER;
   }
 
   mDebug("topic:%s, start to create, sql:%s", createTopicReq.name, createTopicReq.sql);
 
   if (mndCheckCreateTopicReq(&createTopicReq) != 0) {
     mError("topic:%s, failed to create since %s", createTopicReq.name, terrstr());
-    goto CREATE_TOPIC_OVER;
+    goto _OVER;
   }
 
   pTopic = mndAcquireTopic(pMnode, createTopicReq.name);
@@ -460,41 +459,35 @@ static int32_t mndProcessCreateTopicReq(SRpcMsg *pReq) {
     if (createTopicReq.igExists) {
       mDebug("topic:%s, already exist, ignore exist is set", createTopicReq.name);
       code = 0;
-      goto CREATE_TOPIC_OVER;
+      goto _OVER;
     } else {
       terrno = TSDB_CODE_MND_TOPIC_ALREADY_EXIST;
-      goto CREATE_TOPIC_OVER;
+      goto _OVER;
     }
   } else if (terrno != TSDB_CODE_MND_TOPIC_NOT_EXIST) {
-    goto CREATE_TOPIC_OVER;
+    goto _OVER;
   }
 
   pDb = mndAcquireDb(pMnode, createTopicReq.subDbName);
   if (pDb == NULL) {
     terrno = TSDB_CODE_MND_DB_NOT_SELECTED;
-    goto CREATE_TOPIC_OVER;
+    goto _OVER;
   }
 
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    goto CREATE_TOPIC_OVER;
-  }
-
-  if (mndCheckWriteAuth(pUser, pDb) != 0) {
-    goto CREATE_TOPIC_OVER;
+  if (mndCheckDbAuth(pMnode, pReq->conn.user, MND_OPER_WRITE_DB, pDb) != 0) {
+    goto _OVER;
   }
 
   code = mndCreateTopic(pMnode, pReq, &createTopicReq, pDb);
   if (code == 0) code = TSDB_CODE_ACTION_IN_PROGRESS;
 
-CREATE_TOPIC_OVER:
+_OVER:
   if (code != 0 && code != TSDB_CODE_ACTION_IN_PROGRESS) {
     mError("topic:%s, failed to create since %s", createTopicReq.name, terrstr());
   }
 
   mndReleaseTopic(pMnode, pTopic);
   mndReleaseDb(pMnode, pDb);
-  mndReleaseUser(pMnode, pUser);
 
   tFreeSCMCreateTopicReq(&createTopicReq);
   return code;

source/dnode/mnode/impl/src/mndTrans.c

@@ -1364,7 +1364,6 @@ static int32_t mndProcessKillTransReq(SRpcMsg *pReq) {
   SMnode       *pMnode = pReq->info.node;
   SKillTransReq killReq = {0};
   int32_t       code = -1;
-  SUserObj     *pUser = NULL;
   STrans       *pTrans = NULL;
 
   if (tDeserializeSKillTransReq(pReq->pCont, pReq->contLen, &killReq) != 0) {
@@ -1374,12 +1373,7 @@ static int32_t mndProcessKillTransReq(SRpcMsg *pReq) {
 
   mInfo("trans:%d, start to kill", killReq.transId);
 
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    goto _OVER;
-  }
-
-  if (mndCheckTransAuth(pUser) != 0) {
+  if (mndCheckOperAuth(pMnode, pReq->conn.user, MND_OPER_KILL_TRANS) != 0) {
     goto _OVER;
   }
 
@@ -1395,7 +1389,6 @@ _OVER:
     mError("trans:%d, failed to kill since %s", killReq.transId, terrstr());
   }
 
-  mndReleaseUser(pMnode, pUser);
   mndReleaseTrans(pMnode, pTrans);
   return code;
 }

source/dnode/mnode/impl/src/mndUser.c

@@ -360,7 +360,7 @@ static int32_t mndProcessCreateUserReq(SRpcMsg *pReq) {
     goto _OVER;
   }
 
-  if (mndCheckCreateUserAuth(pOperUser) != 0) {
+  if (mndCheckOperAuth(pMnode, pReq->conn.user, MND_OPER_CREATE_USER) != 0) {
     goto _OVER;
   }
 
@@ -623,7 +623,6 @@ static int32_t mndProcessDropUserReq(SRpcMsg *pReq) {
   SMnode      *pMnode = pReq->info.node;
   int32_t      code = -1;
   SUserObj    *pUser = NULL;
-  SUserObj    *pOperUser = NULL;
   SDropUserReq dropReq = {0};
 
   if (tDeserializeSDropUserReq(pReq->pCont, pReq->contLen, &dropReq) != 0) {
@@ -644,13 +643,7 @@ static int32_t mndProcessDropUserReq(SRpcMsg *pReq) {
     goto _OVER;
   }
 
-  pOperUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pOperUser == NULL) {
-    terrno = TSDB_CODE_MND_NO_USER_FROM_CONN;
-    goto _OVER;
-  }
-
-  if (mndCheckDropUserAuth(pOperUser) != 0) {
+  if (mndCheckOperAuth(pMnode, pReq->conn.user, MND_OPER_DROP_USER) != 0) {
     goto _OVER;
   }
 
@@ -662,9 +655,7 @@ _OVER:
     mError("user:%s, failed to drop since %s", dropReq.user, terrstr());
   }
 
-  mndReleaseUser(pMnode, pOperUser);
   mndReleaseUser(pMnode, pUser);
-
   return code;
 }
 

source/dnode/mnode/impl/src/mndVgroup.c

@@ -1177,7 +1177,6 @@ _OVER:
 
 static int32_t mndProcessRedistributeVgroupMsg(SRpcMsg *pReq) {
   SMnode    *pMnode = pReq->info.node;
-  SUserObj  *pUser = NULL;
   SDnodeObj *pNew1 = NULL;
   SDnodeObj *pNew2 = NULL;
   SDnodeObj *pNew3 = NULL;
@@ -1200,13 +1199,8 @@ static int32_t mndProcessRedistributeVgroupMsg(SRpcMsg *pReq) {
   }
 
   mInfo("vgId:%d, start to redistribute to dnode %d:%d:%d", req.vgId, req.dnodeId1, req.dnodeId2, req.dnodeId3);
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    terrno = TSDB_CODE_MND_NO_USER_FROM_CONN;
-    goto _OVER;
-  }
 
-  if (mndCheckNodeAuth(pUser) != 0) goto _OVER;
+  if (mndCheckOperAuth(pMnode, pReq->conn.user, MND_OPER_REDISTRIBUTE_VGROUP) != 0) goto _OVER;
 
   pVgroup = mndAcquireVgroup(pMnode, req.vgId);
   if (pVgroup == NULL) goto _OVER;
@@ -1368,7 +1362,6 @@ _OVER:
   mndReleaseDnode(pMnode, pOld1);
   mndReleaseDnode(pMnode, pOld2);
   mndReleaseDnode(pMnode, pOld3);
-  mndReleaseUser(pMnode, pUser);
   mndReleaseVgroup(pMnode, pVgroup);
   mndReleaseDb(pMnode, pDb);
 
@@ -1493,12 +1486,11 @@ _OVER:
 }
 
 static int32_t mndProcessSplitVgroupMsg(SRpcMsg *pReq) {
-  SMnode   *pMnode = pReq->info.node;
-  int32_t   code = -1;
-  int32_t   vgId = 2;
-  SUserObj *pUser = NULL;
-  SVgObj   *pVgroup = NULL;
-  SDbObj   *pDb = NULL;
+  SMnode *pMnode = pReq->info.node;
+  int32_t code = -1;
+  int32_t vgId = 2;
+  SVgObj *pVgroup = NULL;
+  SDbObj *pDb = NULL;
 
   mDebug("vgId:%d, start to split", vgId);
 
@@ -1508,19 +1500,12 @@ static int32_t mndProcessSplitVgroupMsg(SRpcMsg *pReq) {
   pDb = mndAcquireDb(pMnode, pVgroup->dbName);
   if (pDb == NULL) goto _OVER;
 
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    terrno = TSDB_CODE_MND_NO_USER_FROM_CONN;
-    goto _OVER;
-  }
-
-  if (mndCheckNodeAuth(pUser) != 0) goto _OVER;
+  if (mndCheckOperAuth(pMnode, pReq->conn.user, MND_OPER_SPLIT_VGROUP) != 0) goto _OVER;
 
   code = mndSplitVgroup(pMnode, pReq, pDb, pVgroup);
   if (code == 0) code = TSDB_CODE_ACTION_IN_PROGRESS;
 
 _OVER:
-  mndReleaseUser(pMnode, pUser);
   mndReleaseVgroup(pMnode, pVgroup);
   mndReleaseDb(pMnode, pDb);
   return code;
@@ -1631,21 +1616,15 @@ _OVER:
 }
 
 static int32_t mndProcessBalanceVgroupMsg(SRpcMsg *pReq) {
-  SMnode   *pMnode = pReq->info.node;
-  int32_t   code = -1;
-  SUserObj *pUser = NULL;
-  SArray   *pArray = NULL;
-  void     *pIter = NULL;
-  int64_t   curMs = taosGetTimestampMs();
+  SMnode *pMnode = pReq->info.node;
+  int32_t code = -1;
+  SArray *pArray = NULL;
+  void   *pIter = NULL;
+  int64_t curMs = taosGetTimestampMs();
 
   mDebug("start to balance vgroup");
-  pUser = mndAcquireUser(pMnode, pReq->conn.user);
-  if (pUser == NULL) {
-    terrno = TSDB_CODE_MND_NO_USER_FROM_CONN;
-    goto _OVER;
-  }
 
-  if (mndCheckNodeAuth(pUser) != 0) goto _OVER;
+  if (mndCheckOperAuth(pMnode, pReq->conn.user, MND_OPER_BALANCE_VGROUP) != 0) goto _OVER;
 
   while (1) {
     SDnodeObj *pDnode = NULL;
@@ -1676,7 +1655,6 @@ _OVER:
     mError("failed to balance vgroup since %s", terrstr());
   }
 
-  mndReleaseUser(pMnode, pUser);
   taosArrayDestroy(pArray);
   return code;
 }
\ No newline at end of file

source/util/src/terror.c

@@ -137,6 +137,7 @@ TAOS_DEFINE_ERROR(TSDB_CODE_TSC_STMT_CLAUSE_ERROR,        "not supported stmt cl
 TAOS_DEFINE_ERROR(TSDB_CODE_MND_APP_ERROR,                "Mnode internal error")
 TAOS_DEFINE_ERROR(TSDB_CODE_MND_NOT_READY,                "Mnode not ready")
 TAOS_DEFINE_ERROR(TSDB_CODE_MND_NO_RIGHTS,                "Insufficient privilege for operation")
+TAOS_DEFINE_ERROR(TSDB_CODE_MND_USER_DISABLED,            "User is disabled")
 TAOS_DEFINE_ERROR(TSDB_CODE_MND_INVALID_CONNECTION,       "Invalid message connection")
 
 // mnode-show

tests/system-test/0-others/user_control.py

@@ -246,20 +246,26 @@ class TDTestCase:
             user = self.root_user
         with taos_connect(user=user.name, passwd=user.passwd) as use:
             time.sleep(2)
-            use.query("use db")
-            use.query("show tables")
             if check_priv == PRIVILEGES_ALL:
+                use.query("use db")
+                use.query("show tables")
                 use.query("select * from ct1")
                 use.query("insert into t1 (ts) values (now())")
             elif check_priv == PRIVILEGES_READ:
+                use.query("use db")
+                use.query("show tables")
                 use.query("select * from ct1")
                 use.error("insert into t1 (ts) values (now())")
             elif check_priv == PRIVILEGES_WRITE:
+                use.query("use db")
+                use.query("show tables")
                 use.error("select * from ct1")
                 use.query("insert into t1 (ts) values (now())")
             elif check_priv is None:
-                use.error("select * from ct1")
-                use.error("insert into t1 (ts) values (now())")
+                use.error("use db")
+                use.error("show tables")
+                use.error("select * from db.ct1")
+                use.error("insert into db.t1 (ts) values (now())")
 
     def __change_user_priv(self, user: User, pre_priv, invoke=False):
         if user.priv == pre_priv and invoke :
@@ -610,7 +616,7 @@ class TDTestCase:
         tdLog.printNoPrefix("==========step0: init, user list only has root account")
         tdSql.query("show users")
         tdSql.checkData(0, 0, "root")
-        tdSql.checkData(0, 1, "super")
+        tdSql.checkData(0, 1, "1")
 
         # root用户权限
         # 创建用户测试
@@ -676,7 +682,7 @@ class TDTestCase:
         tdSql.query("show users")
         tdSql.checkRows(1)
         tdSql.checkData(0, 0, "root")
-        tdSql.checkData(0, 1, "super")
+        tdSql.checkData(0, 1, "1")
 
         tdDnodes.stop(1)
         tdDnodes.start(1)
@@ -690,7 +696,7 @@ class TDTestCase:
         tdSql.query("show users")
         tdSql.checkRows(1)
         tdSql.checkData(0, 0, "root")
-        tdSql.checkData(0, 1, "super")
+        tdSql.checkData(0, 1, "1")
 
 
     def stop(self):