feat: privilege for sysinfo user

include/libs/transport/trpc.h

@@ -34,10 +34,8 @@ extern int32_t tsRpcHeadSize;
 typedef struct {
   uint32_t clientIp;
   uint16_t clientPort;
-  union {
-    char    user[TSDB_USER_LEN];
-    int64_t applyIndex;
-  };
+  int64_t  applyIndex;
+  char     user[TSDB_USER_LEN];
 } SRpcConnInfo;
 
 typedef struct SRpcHandleInfo {

source/dnode/mgmt/mgmt_dnode/src/dmHandle.c

@@ -253,6 +253,11 @@ int32_t dmProcessRetrieve(SDnodeMgmt *pMgmt, SRpcMsg *pMsg) {
   int32_t    size = 0;
   int32_t    rowsRead = 0;
 
+  if (strcmp(pMsg->info.conn.user, TSDB_DEFAULT_USER) != 0) {
+    terrno = TSDB_CODE_MND_NO_RIGHTS;
+    return -1;
+  }
+
   SRetrieveTableReq retrieveReq = {0};
   if (tDeserializeSRetrieveTableReq(pMsg->pCont, pMsg->contLen, &retrieveReq) != 0) {
     terrno = TSDB_CODE_INVALID_MSG;

source/dnode/mnode/impl/inc/mndPrivilege.h

@@ -57,6 +57,8 @@ typedef enum {
   MND_OPER_USE_DB,
   MND_OPER_WRITE_DB,
   MND_OPER_READ_DB,
+  MND_OPER_READ_OR_WRITE_DB,
+  MND_OPER_SHOW_VARIBALES,
 } EOperType;
 
 int32_t mndInitPrivilege(SMnode *pMnode);
@@ -64,8 +66,8 @@ void    mndCleanupPrivilege(SMnode *pMnode);
 
 int32_t mndCheckOperPrivilege(SMnode *pMnode, const char *user, EOperType operType);
 int32_t mndCheckDbPrivilege(SMnode *pMnode, const char *user, EOperType operType, SDbObj *pDb);
-int32_t mndCheckDbPrivilegeByName(SMnode *pMnode, const char *user, EOperType operType, const char *name);
-int32_t mndCheckShowPrivilege(SMnode *pMnode, const char *user, int32_t showType);
+int32_t mndCheckDbPrivilegeByName(SMnode *pMnode, const char *user, EOperType operType, const char *dbname);
+int32_t mndCheckShowPrivilege(SMnode *pMnode, const char *user, EShowType showType, const char *dbname);
 int32_t mndCheckAlterUserPrivilege(SUserObj *pOperUser, SUserObj *pUser, SAlterUserReq *pAlter);
 
 #ifdef __cplusplus

source/dnode/mnode/impl/src/mndDb.c

@@ -15,9 +15,9 @@
 
 #define _DEFAULT_SOURCE
 #include "mndDb.h"
-#include "mndPrivilege.h"
 #include "mndDnode.h"
 #include "mndOffset.h"
+#include "mndPrivilege.h"
 #include "mndShow.h"
 #include "mndSma.h"
 #include "mndStb.h"
@@ -1336,7 +1336,7 @@ char *buildRetension(SArray *pRetension) {
 }
 
 static void dumpDbInfoData(SSDataBlock *pBlock, SDbObj *pDb, SShowObj *pShow, int32_t rows, int64_t numOfTables,
-                           bool sysDb, ESdbStatus objStatus) {
+                           bool sysDb, ESdbStatus objStatus, bool sysinfo) {
   int32_t cols = 0;
 
   int32_t     bytes = pShow->pMeta->pSchemas[cols].bytes;
@@ -1354,7 +1354,7 @@ static void dumpDbInfoData(SSDataBlock *pBlock, SDbObj *pDb, SShowObj *pShow, in
   char statusB[24] = {0};
   STR_WITH_SIZE_TO_VARSTR(statusB, status, strlen(status));
 
-  if (sysDb) {
+  if (sysDb || !sysinfo) {
     for (int32_t i = 0; i < pShow->numOfColumns; ++i) {
       SColumnInfoData *pColInfo = taosArrayGet(pBlock->pDataBlock, i);
       if (i == 0) {
@@ -1528,17 +1528,21 @@ static int32_t mndRetrieveDbs(SRpcMsg *pReq, SShowObj *pShow, SSDataBlock *pBloc
   SDbObj    *pDb = NULL;
   ESdbStatus objStatus = 0;
 
+  SUserObj *pUser = mndAcquireUser(pMnode, pReq->info.conn.user);
+  if (pUser == NULL) return 0;
+  bool sysinfo = pUser->sysInfo;
+
   // Append the information_schema database into the result.
   if (!pShow->sysDbRsp) {
     SDbObj infoschemaDb = {0};
     setInformationSchemaDbCfg(&infoschemaDb);
-    dumpDbInfoData(pBlock, &infoschemaDb, pShow, numOfRows, 14, true, 0);
+    dumpDbInfoData(pBlock, &infoschemaDb, pShow, numOfRows, 14, true, 0, 1);
 
     numOfRows += 1;
 
     SDbObj perfschemaDb = {0};
     setPerfSchemaDbCfg(&perfschemaDb);
-    dumpDbInfoData(pBlock, &perfschemaDb, pShow, numOfRows, 3, true, 0);
+    dumpDbInfoData(pBlock, &perfschemaDb, pShow, numOfRows, 3, true, 0, 1);
 
     numOfRows += 1;
     pShow->sysDbRsp = true;
@@ -1550,16 +1554,19 @@ static int32_t mndRetrieveDbs(SRpcMsg *pReq, SShowObj *pShow, SSDataBlock *pBloc
       break;
     }
 
-    int32_t numOfTables = 0;
-    sdbTraverse(pSdb, SDB_VGROUP, mndGetTablesOfDbFp, &numOfTables, NULL, NULL);
+    if (mndCheckDbPrivilege(pMnode, pReq->info.conn.user, MND_OPER_READ_OR_WRITE_DB, pDb) == 0) {
+      int32_t numOfTables = 0;
+      sdbTraverse(pSdb, SDB_VGROUP, mndGetTablesOfDbFp, &numOfTables, NULL, NULL);
+
+      dumpDbInfoData(pBlock, pDb, pShow, numOfRows, numOfTables, false, objStatus, sysinfo);
+      numOfRows++;
+    }
 
-    dumpDbInfoData(pBlock, pDb, pShow, numOfRows, numOfTables, false, objStatus);
-    numOfRows++;
     sdbRelease(pSdb, pDb);
   }
 
   pShow->numOfRows += numOfRows;
-
+  mndReleaseUser(pMnode, pUser);
   return numOfRows;
 }
 

source/dnode/mnode/impl/src/mndDnode.c

@@ -558,7 +558,11 @@ _OVER:
 
 static int32_t mndProcessShowVariablesReq(SRpcMsg *pReq) {
   SShowVariablesRsp rsp = {0};
-  int32_t       code = -1;
+  int32_t           code = -1;
+
+  if (mndCheckOperPrivilege(pReq->info.node, pReq->info.conn.user, MND_OPER_SHOW_VARIBALES) != 0) {
+    goto _OVER;
+  }
 
   rsp.variables = taosArrayInit(4, sizeof(SVariablesInfo));
   if (NULL == rsp.variables) {

source/dnode/mnode/impl/src/mndPrivilege.c

@@ -15,8 +15,8 @@
 
 #define _DEFAULT_SOURCE
 #include "mndPrivilege.h"
-#include "mndUser.h"
 #include "mndDb.h"
+#include "mndUser.h"
 
 int32_t mndInitPrivilege(SMnode *pMnode) { return 0; }
 
@@ -46,6 +46,7 @@ int32_t mndCheckOperPrivilege(SMnode *pMnode, const char *user, EOperType operTy
     case MND_OPER_CONNECT:
     case MND_OPER_CREATE_FUNC:
     case MND_OPER_DROP_FUNC:
+    case MND_OPER_SHOW_VARIBALES:
       break;
     default:
       terrno = TSDB_CODE_MND_NO_RIGHTS;
@@ -80,7 +81,7 @@ int32_t mndCheckAlterUserPrivilege(SUserObj *pOperUser, SUserObj *pUser, SAlterU
   return -1;
 }
 
-int32_t mndCheckShowPrivilege(SMnode *pMnode, const char *user, int32_t showType) {
+int32_t mndCheckShowPrivilege(SMnode *pMnode, const char *user, EShowType showType, const char *dbname) {
   int32_t   code = 0;
   SUserObj *pUser = mndAcquireUser(pMnode, user);
 
@@ -99,14 +100,34 @@ int32_t mndCheckShowPrivilege(SMnode *pMnode, const char *user, int32_t showType
     goto _OVER;
   }
 
-  if (!pUser->sysInfo) {
-    terrno = TSDB_CODE_MND_NO_RIGHTS;
-    code = -1;
+  if (pUser->sysInfo) {
     goto _OVER;
   }
 
-  terrno = TSDB_CODE_MND_NO_RIGHTS;
-  code = -1;
+  switch (showType) {
+    case TSDB_MGMT_TABLE_DB:
+    case TSDB_MGMT_TABLE_STB:
+    case TSDB_MGMT_TABLE_INDEX:
+    case TSDB_MGMT_TABLE_STREAMS:
+    case TSDB_MGMT_TABLE_CONSUMERS:
+    case TSDB_MGMT_TABLE_TOPICS:
+    case TSDB_MGMT_TABLE_SUBSCRIPTIONS:
+    case TSDB_MGMT_TABLE_FUNC:
+    case TSDB_MGMT_TABLE_QUERIES:
+    case TSDB_MGMT_TABLE_CONNS:
+    case TSDB_MGMT_TABLE_APPS:
+    case TSDB_MGMT_TABLE_TRANS:
+      code = 0;
+      break;
+    default:
+      terrno = TSDB_CODE_MND_NO_RIGHTS;
+      code = -1;
+      goto _OVER;
+  }
+
+  if (showType == TSDB_MGMT_TABLE_STB || showType == TSDB_MGMT_TABLE_VGROUP || showType == TSDB_MGMT_TABLE_INDEX) {
+    code = mndCheckDbPrivilegeByName(pMnode, user, MND_OPER_READ_OR_WRITE_DB, dbname);
+  }
 
 _OVER:
   mndReleaseUser(pMnode, pUser);
@@ -138,7 +159,7 @@ int32_t mndCheckDbPrivilege(SMnode *pMnode, const char *user, EOperType operType
     if (strcmp(pUser->user, pDb->createUser) == 0 && pUser->sysInfo) goto _OVER;
   }
 
-  if (operType == MND_OPER_USE_DB) {
+  if (operType == MND_OPER_USE_DB || operType == MND_OPER_READ_OR_WRITE_DB) {
     if (strcmp(pUser->user, pDb->createUser) == 0) goto _OVER;
     if (taosHashGet(pUser->readDbs, pDb->name, strlen(pDb->name) + 1) != NULL) goto _OVER;
     if (taosHashGet(pUser->writeDbs, pDb->name, strlen(pDb->name) + 1) != NULL) goto _OVER;
@@ -162,8 +183,8 @@ _OVER:
   return code;
 }
 
-int32_t mndCheckDbPrivilegeByName(SMnode *pMnode, const char *user, EOperType operType, const char *name) {
-  SDbObj *pDb = mndAcquireDb(pMnode, name);
+int32_t mndCheckDbPrivilegeByName(SMnode *pMnode, const char *user, EOperType operType, const char *dbname) {
+  SDbObj *pDb = mndAcquireDb(pMnode, dbname);
   if (pDb == NULL) return -1;
 
   int32_t code = mndCheckDbPrivilege(pMnode, user, operType, pDb);

source/dnode/mnode/impl/src/mndProfile.c

@@ -254,6 +254,10 @@ static int32_t mndProcessConnectReq(SRpcMsg *pReq) {
               terrstr());
       goto _OVER;
     }
+
+    if (mndCheckDbPrivilege(pMnode, pReq->info.conn.user, MND_OPER_READ_OR_WRITE_DB, pDb) != 0) {
+      goto _OVER;
+    }
   }
 
   pConn = mndCreateConn(pMnode, pReq->info.conn.user, connReq.connType, pReq->info.conn.clientIp,

source/dnode/mnode/impl/src/mndShow.c

@@ -231,8 +231,10 @@ static int32_t mndProcessRetrieveSysTableReq(SRpcMsg *pReq) {
   }
 
   mDebug("show:0x%" PRIx64 ", start retrieve data, type:%d", pShow->id, pShow->type);
-
-  // if (mndCheckShowPrivilege(pMnode, pReq->info.conn.user, pShow->type) != 0) return -1;
+  if (mndCheckShowPrivilege(pMnode, retrieveReq.user, pShow->type, retrieveReq.db) != 0) {
+    return -1;
+  }
+  memcpy(pReq->info.conn.user, retrieveReq.user, TSDB_USER_LEN);
 
   int32_t      numOfCols = pShow->pMeta->numOfColumns;
   SSDataBlock *pBlock = taosMemoryCalloc(1, sizeof(SSDataBlock));

source/dnode/mnode/impl/src/mndStb.c

@@ -15,12 +15,12 @@
 
 #define _DEFAULT_SOURCE
 #include "mndStb.h"
-#include "mndPrivilege.h"
 #include "mndDb.h"
 #include "mndDnode.h"
 #include "mndInfoSchema.h"
 #include "mndMnode.h"
 #include "mndPerfSchema.h"
+#include "mndPrivilege.h"
 #include "mndScheduler.h"
 #include "mndShow.h"
 #include "mndSma.h"
@@ -107,7 +107,7 @@ SSdbRaw *mndStbActionEncode(SStbObj *pStb) {
   int32_t funcNum = taosArrayGetSize(pStb->pFuncs);
   SDB_SET_INT32(pRaw, dataPos, funcNum, _OVER)
   for (int32_t i = 0; i < funcNum; ++i) {
-    char* func = taosArrayGet(pStb->pFuncs, i);
+    char *func = taosArrayGet(pStb->pFuncs, i);
     SDB_SET_BINARY(pRaw, dataPos, func, TSDB_FUNC_NAME_LEN, _OVER)
   }
 
@@ -708,7 +708,7 @@ int32_t mndBuildStbFromReq(SMnode *pMnode, SStbObj *pDst, SMCreateStbReq *pCreat
   pDst->commentLen = pCreate->commentLen;
   pDst->pFuncs = pCreate->pFuncs;
   pCreate->pFuncs = NULL;
-  
+
   if (pDst->commentLen > 0) {
     pDst->comment = taosMemoryCalloc(pDst->commentLen + 1, 1);
     if (pDst->comment == NULL) {
@@ -1391,12 +1391,11 @@ static int32_t mndBuildStbCfgImp(SDbObj *pDb, SStbObj *pStb, const char *tbName,
   if (pStb->pFuncs) {
     pRsp->pFuncs = taosArrayDup(pStb->pFuncs);
   }
-  
+
   taosRUnLockLatch(&pStb->lock);
   return 0;
 }
 
-
 static int32_t mndBuildStbSchema(SMnode *pMnode, const char *dbFName, const char *tbName, STableMetaRsp *pRsp,
                                  int32_t *smaVer) {
   char tbFName[TSDB_TABLE_FNAME_LEN] = {0};
@@ -1426,30 +1425,28 @@ static int32_t mndBuildStbSchema(SMnode *pMnode, const char *dbFName, const char
 }
 
 static int32_t mndBuildStbCfg(SMnode *pMnode, const char *dbFName, const char *tbName, STableCfgRsp *pRsp) {
- char tbFName[TSDB_TABLE_FNAME_LEN] = {0};
- snprintf(tbFName, sizeof(tbFName), "%s.%s", dbFName, tbName);
-
- SDbObj *pDb = mndAcquireDb(pMnode, dbFName);
- if (pDb == NULL) {
-   terrno = TSDB_CODE_MND_DB_NOT_SELECTED;
-   return -1;
- }
-
- SStbObj *pStb = mndAcquireStb(pMnode, tbFName);
- if (pStb == NULL) {
-   mndReleaseDb(pMnode, pDb);
-   terrno = TSDB_CODE_PAR_TABLE_NOT_EXIST;
-   return -1;
- }
-
- int32_t code = mndBuildStbCfgImp(pDb, pStb, tbName, pRsp);
- 
- mndReleaseDb(pMnode, pDb);
- mndReleaseStb(pMnode, pStb);
- return code;
-}
+  char tbFName[TSDB_TABLE_FNAME_LEN] = {0};
+  snprintf(tbFName, sizeof(tbFName), "%s.%s", dbFName, tbName);
+
+  SDbObj *pDb = mndAcquireDb(pMnode, dbFName);
+  if (pDb == NULL) {
+    terrno = TSDB_CODE_MND_DB_NOT_SELECTED;
+    return -1;
+  }
+
+  SStbObj *pStb = mndAcquireStb(pMnode, tbFName);
+  if (pStb == NULL) {
+    mndReleaseDb(pMnode, pDb);
+    terrno = TSDB_CODE_PAR_TABLE_NOT_EXIST;
+    return -1;
+  }
 
+  int32_t code = mndBuildStbCfgImp(pDb, pStb, tbName, pRsp);
 
+  mndReleaseDb(pMnode, pDb);
+  mndReleaseStb(pMnode, pStb);
+  return code;
+}
 
 static int32_t mndBuildSMAlterStbRsp(SDbObj *pDb, const SMAlterStbReq *pAlter, SStbObj *pObj, void **pCont,
                                      int32_t *pLen) {
@@ -1811,10 +1808,10 @@ _OVER:
 }
 
 static int32_t mndProcessTableCfgReq(SRpcMsg *pReq) {
-  SMnode       *pMnode = pReq->info.node;
-  int32_t       code = -1;
-  STableCfgReq  cfgReq = {0};
-  STableCfgRsp  cfgRsp = {0};
+  SMnode      *pMnode = pReq->info.node;
+  int32_t      code = -1;
+  STableCfgReq cfgReq = {0};
+  STableCfgRsp cfgRsp = {0};
 
   if (tDeserializeSTableCfgReq(pReq->pCont, pReq->contLen, &cfgReq) != 0) {
     terrno = TSDB_CODE_INVALID_MSG;
@@ -1866,7 +1863,6 @@ _OVER:
   return code;
 }
 
-
 int32_t mndValidateStbInfo(SMnode *pMnode, SSTableVersion *pStbVersions, int32_t numOfStbs, void **ppRsp,
                            int32_t *pRspLen) {
   SSTbHbRsp hbRsp = {0};

tests/script/tsim/user/privilege_sysinfo.sim

@@ -8,6 +8,7 @@ sql create user sysinfo0 pass 'taosdata'
 sql create user sysinfo1 pass 'taosdata'
 sql alter user sysinfo0 sysinfo 0
 sql alter user sysinfo1 sysinfo 1
+sql create database db
 
 print user sysinfo0 login
 sql close
@@ -39,6 +40,24 @@ sql_error kill connection 1
 sql_error kill query 1
 
 print =============== check db
-sql_error create database db
+sql_error create database d1
+sql_error drop database db
+sql_error use db
+sql_error alter database db replica 1;
+sql_error show db.vgroups
+sql_error show db.stables
+sql_error show db.tables
+
+print =============== check show
+sql_error show users
+sql_error show cluster
+sql_error show dnodes
+sql_error show mnodes
+sql_error show snodes
+sql_error show qnodes
+sql_error show bnodes
+sql_error show grants
+sql_error show dnode 1 variables;
+sql show variables;
 
 system sh/exec.sh -n dnode1 -s stop -x SIGINT
\ No newline at end of file

tools/shell/src/shellEngine.c

@@ -858,9 +858,7 @@ void shellGetGrantInfo() {
 
   int32_t code = taos_errno(tres);
   if (code != TSDB_CODE_SUCCESS) {
-    if (code == TSDB_CODE_OPS_NOT_SUPPORT) {
-      fprintf(stdout, "Server is Community Edition, %s\n\n", sinfo);
-    } else {
+    if (code != TSDB_CODE_OPS_NOT_SUPPORT && code != TSDB_CODE_MND_NO_RIGHTS) {
       fprintf(stderr, "Failed to check Server Edition, Reason:0x%04x:%s\n\n", code, taos_errstr(tres));
     }
     return;