From 89d6ca78233ff3a7c48968645612b3f022b4c99b Mon Sep 17 00:00:00 2001 From: Shengliang Guan Date: Sat, 25 Jun 2022 18:03:12 +0800 Subject: [PATCH] feat: privilege for sysinfo user --- include/libs/transport/trpc.h | 6 +- source/dnode/mgmt/mgmt_dnode/src/dmHandle.c | 5 ++ source/dnode/mnode/impl/inc/mndPrivilege.h | 6 +- source/dnode/mnode/impl/src/mndDb.c | 27 +++++---- source/dnode/mnode/impl/src/mndDnode.c | 6 +- source/dnode/mnode/impl/src/mndPrivilege.c | 41 +++++++++---- source/dnode/mnode/impl/src/mndProfile.c | 4 ++ source/dnode/mnode/impl/src/mndShow.c | 6 +- source/dnode/mnode/impl/src/mndStb.c | 60 +++++++++----------- tests/script/tsim/user/privilege_sysinfo.sim | 21 ++++++- tools/shell/src/shellEngine.c | 4 +- 11 files changed, 121 insertions(+), 65 deletions(-) diff --git a/include/libs/transport/trpc.h b/include/libs/transport/trpc.h index 77de5f4756..c2c1a3534d 100644 --- a/include/libs/transport/trpc.h +++ b/include/libs/transport/trpc.h @@ -34,10 +34,8 @@ extern int32_t tsRpcHeadSize; typedef struct { uint32_t clientIp; uint16_t clientPort; - union { - char user[TSDB_USER_LEN]; - int64_t applyIndex; - }; + int64_t applyIndex; + char user[TSDB_USER_LEN]; } SRpcConnInfo; typedef struct SRpcHandleInfo { diff --git a/source/dnode/mgmt/mgmt_dnode/src/dmHandle.c b/source/dnode/mgmt/mgmt_dnode/src/dmHandle.c index 3d1ece0b64..363f438b80 100644 --- a/source/dnode/mgmt/mgmt_dnode/src/dmHandle.c +++ b/source/dnode/mgmt/mgmt_dnode/src/dmHandle.c @@ -253,6 +253,11 @@ int32_t dmProcessRetrieve(SDnodeMgmt *pMgmt, SRpcMsg *pMsg) { int32_t size = 0; int32_t rowsRead = 0; + if (strcmp(pMsg->info.conn.user, TSDB_DEFAULT_USER) != 0) { + terrno = TSDB_CODE_MND_NO_RIGHTS; + return -1; + } + SRetrieveTableReq retrieveReq = {0}; if (tDeserializeSRetrieveTableReq(pMsg->pCont, pMsg->contLen, &retrieveReq) != 0) { terrno = TSDB_CODE_INVALID_MSG; diff --git a/source/dnode/mnode/impl/inc/mndPrivilege.h b/source/dnode/mnode/impl/inc/mndPrivilege.h index a1bec69790..0c56f6f155 100644 --- a/source/dnode/mnode/impl/inc/mndPrivilege.h +++ b/source/dnode/mnode/impl/inc/mndPrivilege.h @@ -57,6 +57,8 @@ typedef enum { MND_OPER_USE_DB, MND_OPER_WRITE_DB, MND_OPER_READ_DB, + MND_OPER_READ_OR_WRITE_DB, + MND_OPER_SHOW_VARIBALES, } EOperType; int32_t mndInitPrivilege(SMnode *pMnode); @@ -64,8 +66,8 @@ void mndCleanupPrivilege(SMnode *pMnode); int32_t mndCheckOperPrivilege(SMnode *pMnode, const char *user, EOperType operType); int32_t mndCheckDbPrivilege(SMnode *pMnode, const char *user, EOperType operType, SDbObj *pDb); -int32_t mndCheckDbPrivilegeByName(SMnode *pMnode, const char *user, EOperType operType, const char *name); -int32_t mndCheckShowPrivilege(SMnode *pMnode, const char *user, int32_t showType); +int32_t mndCheckDbPrivilegeByName(SMnode *pMnode, const char *user, EOperType operType, const char *dbname); +int32_t mndCheckShowPrivilege(SMnode *pMnode, const char *user, EShowType showType, const char *dbname); int32_t mndCheckAlterUserPrivilege(SUserObj *pOperUser, SUserObj *pUser, SAlterUserReq *pAlter); #ifdef __cplusplus diff --git a/source/dnode/mnode/impl/src/mndDb.c b/source/dnode/mnode/impl/src/mndDb.c index 0345f1b345..abd1492d5e 100644 --- a/source/dnode/mnode/impl/src/mndDb.c +++ b/source/dnode/mnode/impl/src/mndDb.c @@ -15,9 +15,9 @@ #define _DEFAULT_SOURCE #include "mndDb.h" -#include "mndPrivilege.h" #include "mndDnode.h" #include "mndOffset.h" +#include "mndPrivilege.h" #include "mndShow.h" #include "mndSma.h" #include "mndStb.h" @@ -1336,7 +1336,7 @@ char *buildRetension(SArray *pRetension) { } static void dumpDbInfoData(SSDataBlock *pBlock, SDbObj *pDb, SShowObj *pShow, int32_t rows, int64_t numOfTables, - bool sysDb, ESdbStatus objStatus) { + bool sysDb, ESdbStatus objStatus, bool sysinfo) { int32_t cols = 0; int32_t bytes = pShow->pMeta->pSchemas[cols].bytes; @@ -1354,7 +1354,7 @@ static void dumpDbInfoData(SSDataBlock *pBlock, SDbObj *pDb, SShowObj *pShow, in char statusB[24] = {0}; STR_WITH_SIZE_TO_VARSTR(statusB, status, strlen(status)); - if (sysDb) { + if (sysDb || !sysinfo) { for (int32_t i = 0; i < pShow->numOfColumns; ++i) { SColumnInfoData *pColInfo = taosArrayGet(pBlock->pDataBlock, i); if (i == 0) { @@ -1528,17 +1528,21 @@ static int32_t mndRetrieveDbs(SRpcMsg *pReq, SShowObj *pShow, SSDataBlock *pBloc SDbObj *pDb = NULL; ESdbStatus objStatus = 0; + SUserObj *pUser = mndAcquireUser(pMnode, pReq->info.conn.user); + if (pUser == NULL) return 0; + bool sysinfo = pUser->sysInfo; + // Append the information_schema database into the result. if (!pShow->sysDbRsp) { SDbObj infoschemaDb = {0}; setInformationSchemaDbCfg(&infoschemaDb); - dumpDbInfoData(pBlock, &infoschemaDb, pShow, numOfRows, 14, true, 0); + dumpDbInfoData(pBlock, &infoschemaDb, pShow, numOfRows, 14, true, 0, 1); numOfRows += 1; SDbObj perfschemaDb = {0}; setPerfSchemaDbCfg(&perfschemaDb); - dumpDbInfoData(pBlock, &perfschemaDb, pShow, numOfRows, 3, true, 0); + dumpDbInfoData(pBlock, &perfschemaDb, pShow, numOfRows, 3, true, 0, 1); numOfRows += 1; pShow->sysDbRsp = true; @@ -1550,16 +1554,19 @@ static int32_t mndRetrieveDbs(SRpcMsg *pReq, SShowObj *pShow, SSDataBlock *pBloc break; } - int32_t numOfTables = 0; - sdbTraverse(pSdb, SDB_VGROUP, mndGetTablesOfDbFp, &numOfTables, NULL, NULL); + if (mndCheckDbPrivilege(pMnode, pReq->info.conn.user, MND_OPER_READ_OR_WRITE_DB, pDb) == 0) { + int32_t numOfTables = 0; + sdbTraverse(pSdb, SDB_VGROUP, mndGetTablesOfDbFp, &numOfTables, NULL, NULL); + + dumpDbInfoData(pBlock, pDb, pShow, numOfRows, numOfTables, false, objStatus, sysinfo); + numOfRows++; + } - dumpDbInfoData(pBlock, pDb, pShow, numOfRows, numOfTables, false, objStatus); - numOfRows++; sdbRelease(pSdb, pDb); } pShow->numOfRows += numOfRows; - + mndReleaseUser(pMnode, pUser); return numOfRows; } diff --git a/source/dnode/mnode/impl/src/mndDnode.c b/source/dnode/mnode/impl/src/mndDnode.c index af1d641ebf..5e78d0f434 100644 --- a/source/dnode/mnode/impl/src/mndDnode.c +++ b/source/dnode/mnode/impl/src/mndDnode.c @@ -558,7 +558,11 @@ _OVER: static int32_t mndProcessShowVariablesReq(SRpcMsg *pReq) { SShowVariablesRsp rsp = {0}; - int32_t code = -1; + int32_t code = -1; + + if (mndCheckOperPrivilege(pReq->info.node, pReq->info.conn.user, MND_OPER_SHOW_VARIBALES) != 0) { + goto _OVER; + } rsp.variables = taosArrayInit(4, sizeof(SVariablesInfo)); if (NULL == rsp.variables) { diff --git a/source/dnode/mnode/impl/src/mndPrivilege.c b/source/dnode/mnode/impl/src/mndPrivilege.c index 752b11540d..dc321e38d1 100644 --- a/source/dnode/mnode/impl/src/mndPrivilege.c +++ b/source/dnode/mnode/impl/src/mndPrivilege.c @@ -15,8 +15,8 @@ #define _DEFAULT_SOURCE #include "mndPrivilege.h" -#include "mndUser.h" #include "mndDb.h" +#include "mndUser.h" int32_t mndInitPrivilege(SMnode *pMnode) { return 0; } @@ -46,6 +46,7 @@ int32_t mndCheckOperPrivilege(SMnode *pMnode, const char *user, EOperType operTy case MND_OPER_CONNECT: case MND_OPER_CREATE_FUNC: case MND_OPER_DROP_FUNC: + case MND_OPER_SHOW_VARIBALES: break; default: terrno = TSDB_CODE_MND_NO_RIGHTS; @@ -80,7 +81,7 @@ int32_t mndCheckAlterUserPrivilege(SUserObj *pOperUser, SUserObj *pUser, SAlterU return -1; } -int32_t mndCheckShowPrivilege(SMnode *pMnode, const char *user, int32_t showType) { +int32_t mndCheckShowPrivilege(SMnode *pMnode, const char *user, EShowType showType, const char *dbname) { int32_t code = 0; SUserObj *pUser = mndAcquireUser(pMnode, user); @@ -99,14 +100,34 @@ int32_t mndCheckShowPrivilege(SMnode *pMnode, const char *user, int32_t showType goto _OVER; } - if (!pUser->sysInfo) { - terrno = TSDB_CODE_MND_NO_RIGHTS; - code = -1; + if (pUser->sysInfo) { goto _OVER; } - terrno = TSDB_CODE_MND_NO_RIGHTS; - code = -1; + switch (showType) { + case TSDB_MGMT_TABLE_DB: + case TSDB_MGMT_TABLE_STB: + case TSDB_MGMT_TABLE_INDEX: + case TSDB_MGMT_TABLE_STREAMS: + case TSDB_MGMT_TABLE_CONSUMERS: + case TSDB_MGMT_TABLE_TOPICS: + case TSDB_MGMT_TABLE_SUBSCRIPTIONS: + case TSDB_MGMT_TABLE_FUNC: + case TSDB_MGMT_TABLE_QUERIES: + case TSDB_MGMT_TABLE_CONNS: + case TSDB_MGMT_TABLE_APPS: + case TSDB_MGMT_TABLE_TRANS: + code = 0; + break; + default: + terrno = TSDB_CODE_MND_NO_RIGHTS; + code = -1; + goto _OVER; + } + + if (showType == TSDB_MGMT_TABLE_STB || showType == TSDB_MGMT_TABLE_VGROUP || showType == TSDB_MGMT_TABLE_INDEX) { + code = mndCheckDbPrivilegeByName(pMnode, user, MND_OPER_READ_OR_WRITE_DB, dbname); + } _OVER: mndReleaseUser(pMnode, pUser); @@ -138,7 +159,7 @@ int32_t mndCheckDbPrivilege(SMnode *pMnode, const char *user, EOperType operType if (strcmp(pUser->user, pDb->createUser) == 0 && pUser->sysInfo) goto _OVER; } - if (operType == MND_OPER_USE_DB) { + if (operType == MND_OPER_USE_DB || operType == MND_OPER_READ_OR_WRITE_DB) { if (strcmp(pUser->user, pDb->createUser) == 0) goto _OVER; if (taosHashGet(pUser->readDbs, pDb->name, strlen(pDb->name) + 1) != NULL) goto _OVER; if (taosHashGet(pUser->writeDbs, pDb->name, strlen(pDb->name) + 1) != NULL) goto _OVER; @@ -162,8 +183,8 @@ _OVER: return code; } -int32_t mndCheckDbPrivilegeByName(SMnode *pMnode, const char *user, EOperType operType, const char *name) { - SDbObj *pDb = mndAcquireDb(pMnode, name); +int32_t mndCheckDbPrivilegeByName(SMnode *pMnode, const char *user, EOperType operType, const char *dbname) { + SDbObj *pDb = mndAcquireDb(pMnode, dbname); if (pDb == NULL) return -1; int32_t code = mndCheckDbPrivilege(pMnode, user, operType, pDb); diff --git a/source/dnode/mnode/impl/src/mndProfile.c b/source/dnode/mnode/impl/src/mndProfile.c index f2e599b073..38368b4ece 100644 --- a/source/dnode/mnode/impl/src/mndProfile.c +++ b/source/dnode/mnode/impl/src/mndProfile.c @@ -254,6 +254,10 @@ static int32_t mndProcessConnectReq(SRpcMsg *pReq) { terrstr()); goto _OVER; } + + if (mndCheckDbPrivilege(pMnode, pReq->info.conn.user, MND_OPER_READ_OR_WRITE_DB, pDb) != 0) { + goto _OVER; + } } pConn = mndCreateConn(pMnode, pReq->info.conn.user, connReq.connType, pReq->info.conn.clientIp, diff --git a/source/dnode/mnode/impl/src/mndShow.c b/source/dnode/mnode/impl/src/mndShow.c index 3351cff3a3..671adba046 100644 --- a/source/dnode/mnode/impl/src/mndShow.c +++ b/source/dnode/mnode/impl/src/mndShow.c @@ -231,8 +231,10 @@ static int32_t mndProcessRetrieveSysTableReq(SRpcMsg *pReq) { } mDebug("show:0x%" PRIx64 ", start retrieve data, type:%d", pShow->id, pShow->type); - - // if (mndCheckShowPrivilege(pMnode, pReq->info.conn.user, pShow->type) != 0) return -1; + if (mndCheckShowPrivilege(pMnode, retrieveReq.user, pShow->type, retrieveReq.db) != 0) { + return -1; + } + memcpy(pReq->info.conn.user, retrieveReq.user, TSDB_USER_LEN); int32_t numOfCols = pShow->pMeta->numOfColumns; SSDataBlock *pBlock = taosMemoryCalloc(1, sizeof(SSDataBlock)); diff --git a/source/dnode/mnode/impl/src/mndStb.c b/source/dnode/mnode/impl/src/mndStb.c index 77b13cd82d..92f85ecd04 100644 --- a/source/dnode/mnode/impl/src/mndStb.c +++ b/source/dnode/mnode/impl/src/mndStb.c @@ -15,12 +15,12 @@ #define _DEFAULT_SOURCE #include "mndStb.h" -#include "mndPrivilege.h" #include "mndDb.h" #include "mndDnode.h" #include "mndInfoSchema.h" #include "mndMnode.h" #include "mndPerfSchema.h" +#include "mndPrivilege.h" #include "mndScheduler.h" #include "mndShow.h" #include "mndSma.h" @@ -107,7 +107,7 @@ SSdbRaw *mndStbActionEncode(SStbObj *pStb) { int32_t funcNum = taosArrayGetSize(pStb->pFuncs); SDB_SET_INT32(pRaw, dataPos, funcNum, _OVER) for (int32_t i = 0; i < funcNum; ++i) { - char* func = taosArrayGet(pStb->pFuncs, i); + char *func = taosArrayGet(pStb->pFuncs, i); SDB_SET_BINARY(pRaw, dataPos, func, TSDB_FUNC_NAME_LEN, _OVER) } @@ -708,7 +708,7 @@ int32_t mndBuildStbFromReq(SMnode *pMnode, SStbObj *pDst, SMCreateStbReq *pCreat pDst->commentLen = pCreate->commentLen; pDst->pFuncs = pCreate->pFuncs; pCreate->pFuncs = NULL; - + if (pDst->commentLen > 0) { pDst->comment = taosMemoryCalloc(pDst->commentLen + 1, 1); if (pDst->comment == NULL) { @@ -1391,12 +1391,11 @@ static int32_t mndBuildStbCfgImp(SDbObj *pDb, SStbObj *pStb, const char *tbName, if (pStb->pFuncs) { pRsp->pFuncs = taosArrayDup(pStb->pFuncs); } - + taosRUnLockLatch(&pStb->lock); return 0; } - static int32_t mndBuildStbSchema(SMnode *pMnode, const char *dbFName, const char *tbName, STableMetaRsp *pRsp, int32_t *smaVer) { char tbFName[TSDB_TABLE_FNAME_LEN] = {0}; @@ -1426,30 +1425,28 @@ static int32_t mndBuildStbSchema(SMnode *pMnode, const char *dbFName, const char } static int32_t mndBuildStbCfg(SMnode *pMnode, const char *dbFName, const char *tbName, STableCfgRsp *pRsp) { - char tbFName[TSDB_TABLE_FNAME_LEN] = {0}; - snprintf(tbFName, sizeof(tbFName), "%s.%s", dbFName, tbName); - - SDbObj *pDb = mndAcquireDb(pMnode, dbFName); - if (pDb == NULL) { - terrno = TSDB_CODE_MND_DB_NOT_SELECTED; - return -1; - } - - SStbObj *pStb = mndAcquireStb(pMnode, tbFName); - if (pStb == NULL) { - mndReleaseDb(pMnode, pDb); - terrno = TSDB_CODE_PAR_TABLE_NOT_EXIST; - return -1; - } - - int32_t code = mndBuildStbCfgImp(pDb, pStb, tbName, pRsp); - - mndReleaseDb(pMnode, pDb); - mndReleaseStb(pMnode, pStb); - return code; -} + char tbFName[TSDB_TABLE_FNAME_LEN] = {0}; + snprintf(tbFName, sizeof(tbFName), "%s.%s", dbFName, tbName); + + SDbObj *pDb = mndAcquireDb(pMnode, dbFName); + if (pDb == NULL) { + terrno = TSDB_CODE_MND_DB_NOT_SELECTED; + return -1; + } + + SStbObj *pStb = mndAcquireStb(pMnode, tbFName); + if (pStb == NULL) { + mndReleaseDb(pMnode, pDb); + terrno = TSDB_CODE_PAR_TABLE_NOT_EXIST; + return -1; + } + int32_t code = mndBuildStbCfgImp(pDb, pStb, tbName, pRsp); + mndReleaseDb(pMnode, pDb); + mndReleaseStb(pMnode, pStb); + return code; +} static int32_t mndBuildSMAlterStbRsp(SDbObj *pDb, const SMAlterStbReq *pAlter, SStbObj *pObj, void **pCont, int32_t *pLen) { @@ -1811,10 +1808,10 @@ _OVER: } static int32_t mndProcessTableCfgReq(SRpcMsg *pReq) { - SMnode *pMnode = pReq->info.node; - int32_t code = -1; - STableCfgReq cfgReq = {0}; - STableCfgRsp cfgRsp = {0}; + SMnode *pMnode = pReq->info.node; + int32_t code = -1; + STableCfgReq cfgReq = {0}; + STableCfgRsp cfgRsp = {0}; if (tDeserializeSTableCfgReq(pReq->pCont, pReq->contLen, &cfgReq) != 0) { terrno = TSDB_CODE_INVALID_MSG; @@ -1866,7 +1863,6 @@ _OVER: return code; } - int32_t mndValidateStbInfo(SMnode *pMnode, SSTableVersion *pStbVersions, int32_t numOfStbs, void **ppRsp, int32_t *pRspLen) { SSTbHbRsp hbRsp = {0}; diff --git a/tests/script/tsim/user/privilege_sysinfo.sim b/tests/script/tsim/user/privilege_sysinfo.sim index 35760d45fd..10c31dc288 100644 --- a/tests/script/tsim/user/privilege_sysinfo.sim +++ b/tests/script/tsim/user/privilege_sysinfo.sim @@ -8,6 +8,7 @@ sql create user sysinfo0 pass 'taosdata' sql create user sysinfo1 pass 'taosdata' sql alter user sysinfo0 sysinfo 0 sql alter user sysinfo1 sysinfo 1 +sql create database db print user sysinfo0 login sql close @@ -39,6 +40,24 @@ sql_error kill connection 1 sql_error kill query 1 print =============== check db -sql_error create database db +sql_error create database d1 +sql_error drop database db +sql_error use db +sql_error alter database db replica 1; +sql_error show db.vgroups +sql_error show db.stables +sql_error show db.tables + +print =============== check show +sql_error show users +sql_error show cluster +sql_error show dnodes +sql_error show mnodes +sql_error show snodes +sql_error show qnodes +sql_error show bnodes +sql_error show grants +sql_error show dnode 1 variables; +sql show variables; system sh/exec.sh -n dnode1 -s stop -x SIGINT \ No newline at end of file diff --git a/tools/shell/src/shellEngine.c b/tools/shell/src/shellEngine.c index 8a017d378d..2296d573cb 100644 --- a/tools/shell/src/shellEngine.c +++ b/tools/shell/src/shellEngine.c @@ -858,9 +858,7 @@ void shellGetGrantInfo() { int32_t code = taos_errno(tres); if (code != TSDB_CODE_SUCCESS) { - if (code == TSDB_CODE_OPS_NOT_SUPPORT) { - fprintf(stdout, "Server is Community Edition, %s\n\n", sinfo); - } else { + if (code != TSDB_CODE_OPS_NOT_SUPPORT && code != TSDB_CODE_MND_NO_RIGHTS) { fprintf(stderr, "Failed to check Server Edition, Reason:0x%04x:%s\n\n", code, taos_errstr(tres)); } return; -- GitLab