auth for stb

9a927afb · Shengliang Guan · cfa76f83 · 9a927afb · 9a927afb · 9a927afb
3 changed file
--- a/source/dnode/mnode/impl/inc/mndAuth.h
+++ b/source/dnode/mnode/impl/inc/mndAuth.h
@@ -36,6 +36,9 @@ int32_t mndCheckCreateDbAuth(SUserObj *pOperUser);
 int32_t mndCheckAlterDropCompactSyncDbAuth(SUserObj *pOperUser, SDbObj *pDb);
 int32_t mndCheckUseDbAuth(SUserObj *pOperUser, SDbObj *pDb);

+int32_t mndCheckWriteAuth(SUserObj *pOperUser, SDbObj *pDb);
+int32_t mndCheckReadAuth(SUserObj *pOperUser, SDbObj *pDb);
+
 #ifdef __cplusplus
 }
 #endif

--- a/source/dnode/mnode/impl/src/mndAuth.c
+++ b/source/dnode/mnode/impl/src/mndAuth.c
@@ -141,3 +141,29 @@ int32_t mndCheckAlterDropCompactSyncDbAuth(SUserObj *pOperUser, SDbObj *pDb) {
 }

 int32_t mndCheckUseDbAuth(SUserObj *pOperUser, SDbObj *pDb) { return 0; }
+
+int32_t mndCheckWriteAuth(SUserObj *pOperUser, SDbObj *pDb) {
+  if (pOperUser->superUser || strcmp(pOperUser->user, pDb->createUser) == 0) {
+    return 0;
+  }
+
+  if (taosHashGet(pOperUser->writeDbs, pDb->name, strlen(pDb->name) + 1) != NULL) {
+    return 0;
+  }
+
+  terrno = TSDB_CODE_MND_NO_RIGHTS;
+  return -1;
+}
+
+int32_t mndCheckReadAuth(SUserObj *pOperUser, SDbObj *pDb) {
+  if (pOperUser->superUser || strcmp(pOperUser->user, pDb->createUser) == 0) {
+    return 0;
+  }
+
+  if (taosHashGet(pOperUser->readDbs, pDb->name, strlen(pDb->name) + 1) != NULL) {
+    return 0;
+  }
+
+  terrno = TSDB_CODE_MND_NO_RIGHTS;
+  return -1;
+}
\ No newline at end of file
--- a/source/dnode/mnode/impl/src/mndStb.c
+++ b/source/dnode/mnode/impl/src/mndStb.c
@@ -15,6 +15,7 @@

 #define _DEFAULT_SOURCE
 #include "mndStb.h"
+#include "mndAuth.h"
 #include "mndDb.h"
 #include "mndDnode.h"
 #include "mndMnode.h"
@@ -343,7 +344,7 @@ static int32_t mndCheckCreateStbReq(SMCreateStbReq *pCreate) {
    return -1;
  }

-  SField *pField = taosArrayGet(pCreate->pColumns, 0) ;
+  SField *pField = taosArrayGet(pCreate->pColumns, 0);
  if (pField->type != TSDB_DATA_TYPE_TIMESTAMP) {
    terrno = TSDB_CODE_MND_INVALID_STB_OPTION;
    return -1;
@@ -549,12 +550,16 @@ static int32_t mndProcessMCreateStbReq(SMnodeMsg *pReq) {
  SStbObj       *pTopicStb = NULL;
  SStbObj       *pStb = NULL;
  SDbObj        *pDb = NULL;
+  SUserObj      *pUser = NULL;
  SMCreateStbReq createReq = {0};

  if (tDeserializeSMCreateStbReq(pReq->rpcMsg.pCont, &createReq) == NULL) goto CREATE_STB_OVER;

  mDebug("stb:%s, start to create", createReq.name);
-  if (mndCheckCreateStbReq(&createReq) != 0) goto CREATE_STB_OVER;
+  if (mndCheckCreateStbReq(&createReq) != 0) {
+    terrno = TSDB_CODE_INVALID_MSG;
+    goto CREATE_STB_OVER;
+  }

  pStb = mndAcquireStb(pMnode, createReq.name);
  if (pStb != NULL) {
@@ -582,6 +587,15 @@ static int32_t mndProcessMCreateStbReq(SMnodeMsg *pReq) {
    goto CREATE_STB_OVER;
  }

+  pUser = mndAcquireUser(pMnode, pReq->user);
+  if (pUser == NULL) {
+    goto CREATE_STB_OVER;
+  }
+
+  if (mndCheckWriteAuth(pUser, pDb) != 0) {
+    goto CREATE_STB_OVER;
+  }
+
  code = mndCreateStb(pMnode, pReq, &createReq, pDb);
  if (code == 0) code = TSDB_CODE_MND_ACTION_IN_PROGRESS;

@@ -593,8 +607,8 @@ CREATE_STB_OVER:
  mndReleaseStb(pMnode, pStb);
  mndReleaseStb(pMnode, pTopicStb);
  mndReleaseDb(pMnode, pDb);
-  taosArrayDestroy(createReq.pColumns);
-  taosArrayDestroy(createReq.pTags);
+  mndReleaseUser(pMnode, pUser);
+  tFreeSMCreateStbReq(&createReq);

  return code;
 }
@@ -965,7 +979,7 @@ static int32_t mndAlterStb(SMnode *pMnode, SMnodeMsg *pReq, const SMAltertbReq *
  int32_t code = -1;
  STrans *pTrans = NULL;
  SField *pField0 = taosArrayGet(pAlter->pFields, 0);
-      
+
  switch (pAlter->alterType) {
    case TSDB_ALTER_TABLE_ADD_TAG:
      code = mndAddSuperTableTag(pOld, &stbObj, pAlter->pFields, pAlter->numOfFields);
@@ -1020,9 +1034,13 @@ static int32_t mndProcessMAlterStbReq(SMnodeMsg *pReq) {
  int32_t      code = -1;
  SDbObj      *pDb = NULL;
  SStbObj     *pStb = NULL;
+  SUserObj    *pUser = NULL;
  SMAltertbReq alterReq = {0};

-  if (tDeserializeSMAlterStbReq(pReq->rpcMsg.pCont, &alterReq) == NULL) goto ALTER_STB_OVER;
+  if (tDeserializeSMAlterStbReq(pReq->rpcMsg.pCont, &alterReq) == NULL) {
+    terrno = TSDB_CODE_INVALID_MSG;
+    goto ALTER_STB_OVER;
+  }

  mDebug("stb:%s, start to alter", alterReq.name);
  if (mndCheckAlterStbReq(&alterReq) != 0) goto ALTER_STB_OVER;
@@ -1039,6 +1057,15 @@ static int32_t mndProcessMAlterStbReq(SMnodeMsg *pReq) {
    goto ALTER_STB_OVER;
  }

+  pUser = mndAcquireUser(pMnode, pReq->user);
+  if (pUser == NULL) {
+    goto ALTER_STB_OVER;
+  }
+
+  if (mndCheckWriteAuth(pUser, pDb) != 0) {
+    goto ALTER_STB_OVER;
+  }
+
  code = mndAlterStb(pMnode, pReq, &alterReq, pDb, pStb);
  if (code == 0) code = TSDB_CODE_MND_ACTION_IN_PROGRESS;

@@ -1049,6 +1076,7 @@ ALTER_STB_OVER:

  mndReleaseStb(pMnode, pStb);
  mndReleaseDb(pMnode, pDb);
+  mndReleaseUser(pMnode, pUser);
  taosArrayDestroy(alterReq.pFields);

  return code;
@@ -1135,43 +1163,60 @@ DROP_STB_OVER:
 }

 static int32_t mndProcessMDropStbReq(SMnodeMsg *pReq) {
-  SMnode *pMnode = pReq->pMnode;
-
+  SMnode      *pMnode = pReq->pMnode;
+  int32_t      code = -1;
+  SUserObj    *pUser = NULL;
+  SDbObj      *pDb = NULL;
+  SStbObj     *pStb = NULL;
  SMDropStbReq dropReq = {0};
-  tDeserializeSMDropStbReq(pReq->rpcMsg.pCont, &dropReq);
+
+  if (tDeserializeSMDropStbReq(pReq->rpcMsg.pCont, &dropReq) != 0) {
+    terrno = TSDB_CODE_INVALID_MSG;
+    goto DROP_STB_OVER;
+  }

  mDebug("stb:%s, start to drop", dropReq.name);

-  SStbObj *pStb = mndAcquireStb(pMnode, dropReq.name);
+  pStb = mndAcquireStb(pMnode, dropReq.name);
  if (pStb == NULL) {
    if (dropReq.igNotExists) {
      mDebug("stb:%s, not exist, ignore not exist is set", dropReq.name);
-      return 0;
+      code = 0;
+      goto DROP_STB_OVER;
    } else {
      terrno = TSDB_CODE_MND_STB_NOT_EXIST;
-      mError("stb:%s, failed to drop since %s", dropReq.name, terrstr());
-      return -1;
+      goto DROP_STB_OVER;
    }
  }

-  SDbObj *pDb = mndAcquireDbByStb(pMnode, dropReq.name);
+  pDb = mndAcquireDbByStb(pMnode, dropReq.name);
  if (pDb == NULL) {
-    mndReleaseStb(pMnode, pStb);
    terrno = TSDB_CODE_MND_DB_NOT_SELECTED;
-    mError("stb:%s, failed to drop since %s", dropReq.name, terrstr());
-    return -1;
+    goto DROP_STB_OVER;
  }

-  int32_t code = mndDropStb(pMnode, pReq, pDb, pStb);
-  mndReleaseDb(pMnode, pDb);
-  mndReleaseStb(pMnode, pStb);
+  pUser = mndAcquireUser(pMnode, pReq->user);
+  if (pUser == NULL) {
+    goto DROP_STB_OVER;
+  }

-  if (code != 0) {
+  if (mndCheckWriteAuth(pUser, pDb) != 0) {
+    goto DROP_STB_OVER;
+  }
+
+  code = mndDropStb(pMnode, pReq, pDb, pStb);
+  if (code == 0) code = TSDB_CODE_MND_ACTION_IN_PROGRESS;
+
+DROP_STB_OVER:
+  if (code != 0 && code != TSDB_CODE_MND_ACTION_IN_PROGRESS) {
    mError("stb:%s, failed to drop since %s", dropReq.name, terrstr());
-    return -1;
  }

-  return TSDB_CODE_MND_ACTION_IN_PROGRESS;
+  mndReleaseDb(pMnode, pDb);
+  mndReleaseStb(pMnode, pStb);
+  mndReleaseUser(pMnode, pUser);
+
+  return code;
 }

 static int32_t mndProcessVDropStbRsp(SMnodeMsg *pRsp) {