From d768f49dd794e1441d9f8b3b29ccf17e05e019f4 Mon Sep 17 00:00:00 2001 From: dapan1121 Date: Thu, 6 Apr 2023 10:01:27 +0800 Subject: [PATCH] feat: table level user auth --- include/libs/catalog/catalog.h | 16 ++- source/libs/catalog/CMakeLists.txt | 4 +- source/libs/catalog/inc/catalogInt.h | 25 ++-- source/libs/catalog/src/catalog.c | 53 ++++----- source/libs/catalog/src/ctgAsync.c | 71 ++++++------ source/libs/catalog/src/ctgCache.c | 71 ++++-------- source/libs/catalog/src/ctgUtil.c | 133 +++++++++++++++++++++- source/libs/catalog/test/catalogTests.cpp | 18 +-- source/libs/parser/src/parAuthenticator.c | 5 +- source/libs/parser/src/parInsertSql.c | 13 ++- source/libs/parser/src/parUtil.c | 5 +- source/libs/parser/test/mockCatalog.cpp | 10 +- 12 files changed, 272 insertions(+), 152 deletions(-) diff --git a/include/libs/catalog/catalog.h b/include/libs/catalog/catalog.h index fbb24d2862..2c684f8f76 100644 --- a/include/libs/catalog/catalog.h +++ b/include/libs/catalog/catalog.h @@ -29,6 +29,7 @@ extern "C" { #include "tmsg.h" #include "tname.h" #include "transport.h" +#include "nodes.h" typedef struct SCatalog SCatalog; @@ -49,10 +50,15 @@ typedef enum { typedef struct SUserAuthInfo { char user[TSDB_USER_LEN]; - char dbFName[TSDB_DB_FNAME_LEN]; + SName tbName; AUTH_TYPE type; } SUserAuthInfo; +typedef struct SUserAuthRes { + bool pass; + SNode* pCond; +} SUserAuthRes; + typedef struct SDbInfo { int32_t vgVer; int32_t tbNum; @@ -96,7 +102,7 @@ typedef struct SMetaData { SArray* pTableIndex; // pRes = SArray* SArray* pUdfList; // pRes = SFuncInfo* SArray* pIndex; // pRes = SIndexInfo* - SArray* pUser; // pRes = bool* + SArray* pUser; // pRes = SUserAuthRes* SArray* pQnodeList; // pRes = SArray* SArray* pTableCfg; // pRes = STableCfg* SArray* pDnodeList; // pRes = SArray* @@ -312,11 +318,9 @@ int32_t catalogUpdateTableIndex(SCatalog* pCtg, STableIndexRsp* pRsp); int32_t catalogGetUdfInfo(SCatalog* pCtg, SRequestConnInfo* pConn, const char* funcName, SFuncInfo* pInfo); -int32_t catalogChkAuth(SCatalog* pCtg, SRequestConnInfo* pConn, const char* user, const char* dbFName, AUTH_TYPE type, - bool* pass); +int32_t catalogChkAuth(SCatalog* pCtg, SRequestConnInfo* pConn, SUserAuthInfo *pAuth, SUserAuthRes* pRes); -int32_t catalogChkAuthFromCache(SCatalog* pCtg, const char* user, const char* dbFName, AUTH_TYPE type, bool* pass, - bool* exists); +int32_t catalogChkAuthFromCache(SCatalog* pCtg, SUserAuthInfo *pAuth, SUserAuthRes* pRes, bool* exists); int32_t catalogUpdateUserAuthInfo(SCatalog* pCtg, SGetUserAuthRsp* pAuth); diff --git a/source/libs/catalog/CMakeLists.txt b/source/libs/catalog/CMakeLists.txt index 632034d6b6..bc56ff4c7f 100644 --- a/source/libs/catalog/CMakeLists.txt +++ b/source/libs/catalog/CMakeLists.txt @@ -8,9 +8,9 @@ target_include_directories( target_link_libraries( catalog - PRIVATE os util transport qcom + PRIVATE os util transport qcom nodes ) if(${BUILD_TEST}) ADD_SUBDIRECTORY(test) -endif(${BUILD_TEST}) \ No newline at end of file +endif(${BUILD_TEST}) diff --git a/source/libs/catalog/inc/catalogInt.h b/source/libs/catalog/inc/catalogInt.h index 8fc7df63be..711274ce1d 100644 --- a/source/libs/catalog/inc/catalogInt.h +++ b/source/libs/catalog/inc/catalogInt.h @@ -99,6 +99,20 @@ typedef struct SCtgDebug { uint32_t showCachePeriodSec; } SCtgDebug; +typedef struct SCtgAuthReq { + SRequestConnInfo* pConn; + SUserAuthInfo* pRawReq; + SGetUserAuthRsp authInfo; + AUTH_TYPE singleType; + bool onlyCache; +} SCtgAuthReq; + +typedef struct SCtgAuthRsp { + SUserAuthRes* pRawRes; + bool metaNotExists; +} SCtgAuthRsp; + + typedef struct SCtgTbCacheInfo { bool inCache; uint64_t dbId; @@ -214,12 +228,8 @@ typedef struct SCtgRentMgmt { } SCtgRentMgmt; typedef struct SCtgUserAuth { - int32_t version; - SRWLatch lock; - bool superUser; - SHashObj* createdDbs; - SHashObj* readDbs; - SHashObj* writeDbs; + SRWLatch lock; + SGetUserAuthRsp userAuth; } SCtgUserAuth; typedef struct SCatalog { @@ -703,7 +713,7 @@ int32_t ctgTbMetaExistInCache(SCatalog* pCtg, char* dbFName, char* tbName, int32 int32_t ctgReadTbMetaFromCache(SCatalog* pCtg, SCtgTbMetaCtx* ctx, STableMeta** pTableMeta); int32_t ctgReadTbVerFromCache(SCatalog* pCtg, SName* pTableName, int32_t* sver, int32_t* tver, int32_t* tbType, uint64_t* suid, char* stbName); -int32_t ctgChkAuthFromCache(SCatalog* pCtg, char* user, char* dbFName, AUTH_TYPE type, bool* inCache, bool* pass); +int32_t ctgChkAuthFromCache(SCatalog *pCtg, SUserAuthInfo *pReq, bool *inCache, SCtgAuthRsp* pRes); int32_t ctgDropDbCacheEnqueue(SCatalog* pCtg, const char* dbFName, int64_t dbId); int32_t ctgDropDbVgroupEnqueue(SCatalog* pCtg, const char* dbFName, bool syncReq); int32_t ctgDropStbMetaEnqueue(SCatalog* pCtg, const char* dbFName, int64_t dbId, const char* stbName, uint64_t suid, @@ -806,6 +816,7 @@ int32_t ctgAcquireVgMetaFromCache(SCatalog *pCtg, const char *dbFName, const cha int32_t ctgCopyTbMeta(SCatalog *pCtg, SCtgTbMetaCtx *ctx, SCtgDBCache **pDb, SCtgTbCache **pTb, STableMeta **pTableMeta, char* dbFName); void ctgReleaseVgMetaToCache(SCatalog *pCtg, SCtgDBCache *dbCache, SCtgTbCache *pCache); void ctgReleaseTbMetaToCache(SCatalog *pCtg, SCtgDBCache *dbCache, SCtgTbCache *pCache); +int32_t ctgChkSetAuthRes(SCatalog *pCtg, SCtgAuthReq *req, SCtgAuthRsp* res); extern SCatalogMgmt gCtgMgmt; extern SCtgDebug gCTGDebug; diff --git a/source/libs/catalog/src/catalog.c b/source/libs/catalog/src/catalog.c index f9a218835e..f4549417f0 100644 --- a/source/libs/catalog/src/catalog.c +++ b/source/libs/catalog/src/catalog.c @@ -319,14 +319,13 @@ _return: CTG_RET(code); } -int32_t ctgChkAuth(SCatalog* pCtg, SRequestConnInfo* pConn, const char* user, const char* dbFName, AUTH_TYPE type, - bool* pass, bool* exists) { +int32_t ctgChkAuth(SCatalog* pCtg, SRequestConnInfo* pConn, SUserAuthInfo *pReq, SUserAuthRes* pRes, bool* exists) { bool inCache = false; int32_t code = 0; + SCtgAuthRsp rsp = {0}; + rsp.pRawRes = pRes; - *pass = false; - - CTG_ERR_RET(ctgChkAuthFromCache(pCtg, (char*)user, (char*)dbFName, type, &inCache, pass)); + CTG_ERR_RET(ctgChkAuthFromCache(pCtg, pReq, &inCache, &rsp)); if (inCache) { if (exists) { @@ -339,30 +338,22 @@ int32_t ctgChkAuth(SCatalog* pCtg, SRequestConnInfo* pConn, const char* user, co return TSDB_CODE_SUCCESS; } - SGetUserAuthRsp authRsp = {0}; - CTG_ERR_RET(ctgGetUserDbAuthFromMnode(pCtg, pConn, user, &authRsp, NULL)); - - if (authRsp.superAuth) { - *pass = true; - goto _return; - } - - if (authRsp.createdDbs && taosHashGet(authRsp.createdDbs, dbFName, strlen(dbFName))) { - *pass = true; - goto _return; - } + SCtgAuthReq req = {0}; + req.pRawReq = pReq; + req.pConn = pConn; + req.onlyCache = exists ? true : false; + CTG_ERR_RET(ctgGetUserDbAuthFromMnode(pCtg, pConn, pReq->user, &req.authInfo, NULL)); - if (CTG_AUTH_READ(type) && authRsp.readDbs && taosHashGet(authRsp.readDbs, dbFName, strlen(dbFName))) { - *pass = true; - } else if (CTG_AUTH_WRITE(type) && authRsp.writeDbs && taosHashGet(authRsp.writeDbs, dbFName, strlen(dbFName))) { - *pass = true; + CTG_ERR_JRET(ctgChkSetAuthRes(pCtg, &req, &rsp)); + if (rsp.metaNotExists && exists) { + *exists = false; } _return: - ctgUpdateUserEnqueue(pCtg, &authRsp, false); + ctgUpdateUserEnqueue(pCtg, &req.authInfo, false); - return TSDB_CODE_SUCCESS; + CTG_RET(code); } int32_t ctgGetTbType(SCatalog* pCtg, SRequestConnInfo* pConn, SName* pTableName, int32_t* tbType) { @@ -1368,7 +1359,7 @@ int32_t catalogGetExpiredUsers(SCatalog* pCtg, SUserAuthVersion** users, uint32_ void* key = taosHashGetKey(pAuth, &len); strncpy((*users)[i].user, key, len); (*users)[i].user[len] = 0; - (*users)[i].version = pAuth->version; + (*users)[i].version = pAuth->userAuth.version; ++i; if (i >= *num) { taosHashCancelIterate(pCtg->userCache, pAuth); @@ -1448,32 +1439,30 @@ _return: CTG_API_LEAVE(code); } -int32_t catalogChkAuth(SCatalog* pCtg, SRequestConnInfo* pConn, const char* user, const char* dbFName, AUTH_TYPE type, - bool* pass) { +int32_t catalogChkAuth(SCatalog* pCtg, SRequestConnInfo* pConn, SUserAuthInfo *pAuth, SUserAuthRes* pRes) { CTG_API_ENTER(); - if (NULL == pCtg || NULL == pConn || NULL == user || NULL == dbFName || NULL == pass) { + if (NULL == pCtg || NULL == pConn || NULL == pAuth || NULL == pRes) { CTG_API_LEAVE(TSDB_CODE_CTG_INVALID_INPUT); } int32_t code = 0; - CTG_ERR_JRET(ctgChkAuth(pCtg, pConn, user, dbFName, type, pass, NULL)); + CTG_ERR_JRET(ctgChkAuth(pCtg, pConn, pAuth, pRes, NULL)); _return: CTG_API_LEAVE(code); } -int32_t catalogChkAuthFromCache(SCatalog* pCtg, const char* user, const char* dbFName, AUTH_TYPE type, - bool* pass, bool* exists) { +int32_t catalogChkAuthFromCache(SCatalog* pCtg, SUserAuthInfo *pAuth, SUserAuthRes* pRes, bool* exists) { CTG_API_ENTER(); - if (NULL == pCtg || NULL == user || NULL == dbFName || NULL == pass || NULL == exists) { + if (NULL == pCtg || NULL == pAuth || NULL == pRes || NULL == exists) { CTG_API_LEAVE(TSDB_CODE_CTG_INVALID_INPUT); } int32_t code = 0; - CTG_ERR_JRET(ctgChkAuth(pCtg, NULL, user, dbFName, type, pass, exists)); + CTG_ERR_JRET(ctgChkAuth(pCtg, NULL, pAuth, pRes, exists)); _return: diff --git a/source/libs/catalog/src/ctgAsync.c b/source/libs/catalog/src/ctgAsync.c index f62e93b82a..92ac33a566 100644 --- a/source/libs/catalog/src/ctgAsync.c +++ b/source/libs/catalog/src/ctgAsync.c @@ -1550,45 +1550,20 @@ _return: int32_t ctgHandleGetUserRsp(SCtgTaskReq* tReq, int32_t reqType, const SDataBuf* pMsg, int32_t rspCode) { int32_t code = 0; SCtgTask* pTask = tReq->pTask; - SCtgUserCtx* ctx = (SCtgUserCtx*)pTask->taskCtx; SCatalog* pCtg = pTask->pJob->pCtg; - bool pass = false; SGetUserAuthRsp* pOut = (SGetUserAuthRsp*)pTask->msgCtx.out; CTG_ERR_JRET(ctgProcessRspMsg(pTask->msgCtx.out, reqType, pMsg->pData, pMsg->len, rspCode, pTask->msgCtx.target)); - if (pOut->superAuth) { - pass = true; - goto _return; - } + ctgUpdateUserEnqueue(pCtg, pOut, true); + taosMemoryFreeClear(pTask->msgCtx.out); - if (pOut->createdDbs && taosHashGet(pOut->createdDbs, ctx->user.dbFName, strlen(ctx->user.dbFName))) { - pass = true; - goto _return; - } + CTG_ERR_JRET((*gCtgAsyncFps[pTask->type].launchFp)(pTask)); - if (CTG_AUTH_READ(ctx->user.type) && pOut->readDbs && - taosHashGet(pOut->readDbs, ctx->user.dbFName, strlen(ctx->user.dbFName))) { - pass = true; - } else if (CTG_AUTH_WRITE(ctx->user.type) && pOut->writeDbs && - taosHashGet(pOut->writeDbs, ctx->user.dbFName, strlen(ctx->user.dbFName))) { - pass = true; - } + return TSDB_CODE_SUCCESS; _return: - if (TSDB_CODE_SUCCESS == code) { - pTask->res = taosMemoryCalloc(1, sizeof(bool)); - if (NULL == pTask->res) { - code = TSDB_CODE_OUT_OF_MEMORY; - } else { - *(bool*)pTask->res = pass; - } - } - - ctgUpdateUserEnqueue(pCtg, pOut, false); - taosMemoryFreeClear(pTask->msgCtx.out); - ctgHandleTaskEnd(pTask, code); CTG_RET(code); @@ -2067,31 +2042,39 @@ int32_t ctgLaunchGetUdfTask(SCtgTask* pTask) { } int32_t ctgLaunchGetUserTask(SCtgTask* pTask) { + int32_t code = 0; SCatalog* pCtg = pTask->pJob->pCtg; SRequestConnInfo* pConn = &pTask->pJob->conn; SCtgUserCtx* pCtx = (SCtgUserCtx*)pTask->taskCtx; bool inCache = false; - bool pass = false; + SCtgAuthRsp rsp = {0}; SCtgJob* pJob = pTask->pJob; SCtgMsgCtx* pMsgCtx = CTG_GET_TASK_MSGCTX(pTask, -1); if (NULL == pMsgCtx->pBatchs) { pMsgCtx->pBatchs = pJob->pBatchs; } - CTG_ERR_RET(ctgChkAuthFromCache(pCtg, pCtx->user.user, pCtx->user.dbFName, pCtx->user.type, &inCache, &pass)); + rsp.pRawRes = taosMemoryCalloc(1, sizeof(SUserAuthRes)); + if (NULL == rsp.pRawRes) { + CTG_ERR_RET(TSDB_CODE_OUT_OF_MEMORY); + } + + CTG_ERR_RET(ctgChkAuthFromCache(pCtg, &pCtx->user, &inCache, &rsp)); if (inCache) { - pTask->res = taosMemoryCalloc(1, sizeof(bool)); - if (NULL == pTask->res) { - CTG_ERR_RET(TSDB_CODE_OUT_OF_MEMORY); - } - *(bool*)pTask->res = pass; + pTask->res = rsp.pRawRes; CTG_ERR_RET(ctgHandleTaskEnd(pTask, 0)); return TSDB_CODE_SUCCESS; } - CTG_ERR_RET(ctgGetUserDbAuthFromMnode(pCtg, pConn, pCtx->user.user, NULL, pTask)); + taosMemoryFreeClear(rsp.pRawRes); + if (rsp.metaNotExists) { + CTG_ERR_RET(ctgLaunchSubTask(pTask, CTG_TASK_GET_TB_META, ctgGetTbCfgCb, &pCtx->user.tbName)); + } else { + CTG_ERR_RET(ctgGetUserDbAuthFromMnode(pCtg, pConn, pCtx->user.user, NULL, pTask)); + } + return TSDB_CODE_SUCCESS; } @@ -2139,6 +2122,20 @@ _return: CTG_RET(ctgHandleTaskEnd(pTask, pTask->subRes.code)); } + +int32_t ctgGetUserCb(SCtgTask* pTask) { + int32_t code = 0; + + CTG_ERR_JRET(pTask->subRes.code); + + CTG_RET(ctgLaunchGetUserTask(pTask)); + +_return: + + CTG_RET(ctgHandleTaskEnd(pTask, pTask->subRes.code)); +} + + int32_t ctgCompDbVgTasks(SCtgTask* pTask, void* param, bool* equal) { SCtgDbVgCtx* ctx = pTask->taskCtx; diff --git a/source/libs/catalog/src/ctgCache.c b/source/libs/catalog/src/ctgCache.c index 7ff8afd6a5..d847735f4f 100644 --- a/source/libs/catalog/src/ctgCache.c +++ b/source/libs/catalog/src/ctgCache.c @@ -678,55 +678,40 @@ _return: CTG_RET(code); } -int32_t ctgChkAuthFromCache(SCatalog *pCtg, char *user, char *dbFName, AUTH_TYPE type, bool *inCache, bool *pass) { - char *p = strchr(dbFName, '.'); - if (p) { - ++p; - } else { - p = dbFName; - } - - if (IS_SYS_DBNAME(p)) { +int32_t ctgChkAuthFromCache(SCatalog *pCtg, SUserAuthInfo *pReq, bool *inCache, SCtgAuthRsp* pRes) { + if (IS_SYS_DBNAME(pReq->tbName.dbname)) { *inCache = true; - *pass = true; - ctgDebug("sysdb %s, pass", dbFName); + pRes->pRawRes->pass = true; + ctgDebug("sysdb %s, pass", pReq->tbName.dbname); return TSDB_CODE_SUCCESS; } - SCtgUserAuth *pUser = (SCtgUserAuth *)taosHashGet(pCtg->userCache, user, strlen(user)); + SCtgUserAuth *pUser = (SCtgUserAuth *)taosHashGet(pCtg->userCache, pReq->user, strlen(pReq->user)); if (NULL == pUser) { - ctgDebug("user not in cache, user:%s", user); + ctgDebug("user not in cache, user:%s", pReq->user); goto _return; } *inCache = true; - ctgDebug("Got user from cache, user:%s", user); + ctgDebug("Got user from cache, user:%s", pReq->user); CTG_CACHE_STAT_INC(numOfUserHit, 1); - if (pUser->superUser) { - *pass = true; - return TSDB_CODE_SUCCESS; - } + SCtgAuthReq req = {0}; + req.pRawReq = pReq; + req.onlyCache = true; CTG_LOCK(CTG_READ, &pUser->lock); - if (pUser->createdDbs && taosHashGet(pUser->createdDbs, dbFName, strlen(dbFName))) { - *pass = true; - CTG_UNLOCK(CTG_READ, &pUser->lock); - return TSDB_CODE_SUCCESS; - } - - if (pUser->readDbs && taosHashGet(pUser->readDbs, dbFName, strlen(dbFName)) && CTG_AUTH_READ(type)) { - *pass = true; - } - - if (pUser->writeDbs && taosHashGet(pUser->writeDbs, dbFName, strlen(dbFName)) && CTG_AUTH_WRITE(type)) { - *pass = true; - } - + memcpy(&req.authInfo, &pUser->userAuth, sizeof(pUser->userAuth)); + int32_t code = ctgChkSetAuthRes(pCtg, &req, pRes); CTG_UNLOCK(CTG_READ, &pUser->lock); + CTG_ERR_JRET(code); + + if (pRes->metaNotExists) { + goto _return; + } - return TSDB_CODE_SUCCESS; + CTG_RET(code); _return: @@ -2024,11 +2009,7 @@ int32_t ctgOpUpdateUser(SCtgCacheOperation *operation) { if (NULL == pUser) { SCtgUserAuth userAuth = {0}; - userAuth.version = msg->userAuth.version; - userAuth.superUser = msg->userAuth.superAuth; - userAuth.createdDbs = msg->userAuth.createdDbs; - userAuth.readDbs = msg->userAuth.readDbs; - userAuth.writeDbs = msg->userAuth.writeDbs; + memcpy(&userAuth.userAuth, &msg->userAuth, sizeof(msg->userAuth)); if (taosHashPut(pCtg->userCache, msg->userAuth.user, strlen(msg->userAuth.user), &userAuth, sizeof(userAuth))) { ctgError("taosHashPut user %s to cache failed", msg->userAuth.user); @@ -2040,20 +2021,18 @@ int32_t ctgOpUpdateUser(SCtgCacheOperation *operation) { return TSDB_CODE_SUCCESS; } - pUser->version = msg->userAuth.version; - CTG_LOCK(CTG_WRITE, &pUser->lock); - taosHashCleanup(pUser->createdDbs); - pUser->createdDbs = msg->userAuth.createdDbs; + taosHashCleanup(pUser->userAuth.createdDbs); + pUser->userAuth.createdDbs = msg->userAuth.createdDbs; msg->userAuth.createdDbs = NULL; - taosHashCleanup(pUser->readDbs); - pUser->readDbs = msg->userAuth.readDbs; + taosHashCleanup(pUser->userAuth.readDbs); + pUser->userAuth.readDbs = msg->userAuth.readDbs; msg->userAuth.readDbs = NULL; - taosHashCleanup(pUser->writeDbs); - pUser->writeDbs = msg->userAuth.writeDbs; + taosHashCleanup(pUser->userAuth.writeDbs); + pUser->userAuth.writeDbs = msg->userAuth.writeDbs; msg->userAuth.writeDbs = NULL; CTG_UNLOCK(CTG_WRITE, &pUser->lock); diff --git a/source/libs/catalog/src/ctgUtil.c b/source/libs/catalog/src/ctgUtil.c index 9b013c2892..501ad63dce 100644 --- a/source/libs/catalog/src/ctgUtil.c +++ b/source/libs/catalog/src/ctgUtil.c @@ -174,9 +174,11 @@ void ctgFreeSMetaData(SMetaData* pData) { } void ctgFreeSCtgUserAuth(SCtgUserAuth* userCache) { - taosHashCleanup(userCache->createdDbs); - taosHashCleanup(userCache->readDbs); - taosHashCleanup(userCache->writeDbs); + taosHashCleanup(userCache->userAuth.createdDbs); + taosHashCleanup(userCache->userAuth.readDbs); + taosHashCleanup(userCache->userAuth.writeDbs); + taosHashCleanup(userCache->userAuth.readTbs); + taosHashCleanup(userCache->userAuth.writeTbs); } void ctgFreeMetaRent(SCtgRentMgmt* mgmt) { @@ -1330,6 +1332,131 @@ static void* ctgCloneDnodeList(void* pSrc) { return taosArrayDup((const SArray*) static void ctgFreeDnodeList(void* p) { taosArrayDestroy((SArray*)((SMetaRes*)p)->pRes); } +int32_t ctgChkSetTbAuthRes(SCatalog *pCtg, SCtgAuthReq *req, SCtgAuthRsp* res) { + int32_t code = 0; + STableMeta *pMeta = NULL; + SGetUserAuthRsp *pInfo = &req->authInfo; + SHashObj *pTbs = (AUTH_TYPE_READ == req->singleType) ? pInfo->readTbs : pInfo->writeTbs; + + char *pCond = taosHashGet(pTbs, req->pRawReq->tbName.tname, strlen(req->pRawReq->tbName.tname)); + if (pCond) { + if (strlen(pCond) > 1) { + CTG_RET(nodesStringToNode(pCond, &res->pRawRes->pCond)); + } + + res->pRawRes->pass = true; + return TSDB_CODE_SUCCESS; + } + + CTG_ERR_RET(catalogGetCachedTableMeta(pCtg, &req->pRawReq->tbName, &pMeta)); + if (NULL == pMeta) { + if (req->onlyCache) { + res->metaNotExists = true; + ctgDebug("db %s tb %s meta not in cache for auth", req->pRawReq->tbName.dbname, req->pRawReq->tbName.tname); + return TSDB_CODE_SUCCESS; + } + + CTG_ERR_RET(catalogGetTableMeta(pCtg, req->pConn, &req->pRawReq->tbName, &pMeta)); + } + + if (TSDB_SUPER_TABLE == pMeta->tableType || TSDB_NORMAL_TABLE == pMeta->tableType) { + res->pRawRes->pass = false; + goto _return; + } + + if (TSDB_CHILD_TABLE == pMeta->tableType) { + res->pRawRes->pass = true; + +/* + char stbName[TSDB_TABLE_NAME_LEN] = {0}; + CTG_ERR_JRET(ctgGetCachedStbNameFromSuid(pCtg, pMeta->suid, stbName)); + if (0 == stbName[0]) { + if (req->onlyCache) { + res->notExists = true; + return TSDB_CODE_SUCCESS; + } + + CTG_ERR_RET(catalogRefreshTableMeta(pCtg, req->pConn, &req->pRawReq->tbName, 0)); + } +*/ + } + +_return: + + taosMemoryFree(pMeta); + + CTG_RET(code); +} + +int32_t ctgChkSetAuthRes(SCatalog *pCtg, SCtgAuthReq *req, SCtgAuthRsp* res) { + int32_t code = 0; + SUserAuthInfo* pReq = req->pRawReq; + SUserAuthRes* pRes = res->pRawRes; + SGetUserAuthRsp *pInfo = &req->authInfo; + + pRes->pass = false; + pRes->pCond = NULL; + + if (!pInfo->enable) { + pRes->pass = false; + return TSDB_CODE_SUCCESS; + } + + if (pInfo->superAuth) { + pRes->pass = true; + return TSDB_CODE_SUCCESS; + } + + char dbFName[TSDB_DB_FNAME_LEN]; + tNameGetFullDbName(&pReq->tbName, dbFName); + + if (pInfo->createdDbs && taosHashGet(pInfo->createdDbs, dbFName, strlen(dbFName))) { + pRes->pass = true; + return TSDB_CODE_SUCCESS; + } + + switch (pReq->type) { + case AUTH_TYPE_READ: { + if (pInfo->readDbs && taosHashGet(pInfo->readDbs, dbFName, strlen(dbFName))) { + pRes->pass = true; + return TSDB_CODE_SUCCESS; + } + if (pInfo->readTbs && taosHashGetSize(pInfo->readTbs) > 0) { + req->singleType = AUTH_TYPE_READ; + CTG_RET(ctgChkSetTbAuthRes(pCtg, req, res)); + } + + break; + } + case AUTH_TYPE_WRITE: { + if (pInfo->writeDbs && taosHashGet(pInfo->writeDbs, dbFName, strlen(dbFName))) { + pRes->pass = true; + return TSDB_CODE_SUCCESS; + } + if (pInfo->writeTbs && taosHashGetSize(pInfo->writeTbs) > 0) { + req->singleType = AUTH_TYPE_WRITE; + CTG_RET(ctgChkSetTbAuthRes(pCtg, req, res)); + } + + break; + } + case AUTH_TYPE_READ_OR_WRITE: { + if ((pInfo->readDbs && taosHashGet(pInfo->readDbs, dbFName, strlen(dbFName))) || + (pInfo->writeDbs && taosHashGet(pInfo->writeDbs, dbFName, strlen(dbFName)))){ + pRes->pass = true; + return TSDB_CODE_SUCCESS; + } + + break; + } + default: + break; + } + + return TSDB_CODE_SUCCESS; +} + + #if 0 static int32_t ctgCloneMetaDataArray(SArray* pSrc, __array_item_dup_fn_t copyFunc, SArray** pDst) { if (NULL == pSrc) { diff --git a/source/libs/catalog/test/catalogTests.cpp b/source/libs/catalog/test/catalogTests.cpp index 5e543384ac..bdced0074e 100644 --- a/source/libs/catalog/test/catalogTests.cpp +++ b/source/libs/catalog/test/catalogTests.cpp @@ -2800,15 +2800,19 @@ TEST(apiTest, catalogChkAuth_test) { code = catalogGetHandle(ctgTestClusterId, &pCtg); ASSERT_EQ(code, 0); - bool pass = false; + SUserAuthInfo authInfo = {0}; + SUserAuthRes authRes = {0}; + strcpy(authInfo.user, ctgTestUsername); + toName(1, ctgTestDbname, ctgTestSTablename, &authInfo.tbName); + authInfo.type = AUTH_TYPE_READ; bool exists = false; - code = catalogChkAuthFromCache(pCtg, ctgTestUsername, ctgTestDbname, AUTH_TYPE_READ, &pass, &exists); + code = catalogChkAuthFromCache(pCtg, &authInfo, &authRes, &exists); ASSERT_EQ(code, 0); ASSERT_EQ(exists, false); - - code = catalogChkAuth(pCtg, mockPointer, ctgTestUsername, ctgTestDbname, AUTH_TYPE_READ, &pass); + + code = catalogChkAuth(pCtg, mockPointer, &authInfo, &authRes); ASSERT_EQ(code, 0); - ASSERT_EQ(pass, true); + ASSERT_EQ(authRes.pass, true); while (true) { uint64_t n = 0; @@ -2820,9 +2824,9 @@ TEST(apiTest, catalogChkAuth_test) { } } - code = catalogChkAuthFromCache(pCtg, ctgTestUsername, ctgTestDbname, AUTH_TYPE_READ, &pass, &exists); + code = catalogChkAuthFromCache(pCtg, &authInfo, &authRes, &exists); ASSERT_EQ(code, 0); - ASSERT_EQ(pass, true); + ASSERT_EQ(authRes.pass, true); ASSERT_EQ(exists, true); catalogDestroy(); diff --git a/source/libs/parser/src/parAuthenticator.c b/source/libs/parser/src/parAuthenticator.c index e4de60fd05..a0ded97c5f 100644 --- a/source/libs/parser/src/parAuthenticator.c +++ b/source/libs/parser/src/parAuthenticator.c @@ -44,7 +44,10 @@ static int32_t checkAuth(SAuthCxt* pCxt, const char* pDbName, AUTH_TYPE type) { .requestObjRefId = pParseCxt->requestRid, .mgmtEps = pParseCxt->mgmtEpSet}; - code = catalogChkAuth(pParseCxt->pCatalog, &conn, pParseCxt->pUser, dbFname, type, &pass); + SUserAuthInfo authInfo = {0}; + SUserAuthRes authRes = {0}; + //code = catalogChkAuth(pParseCxt->pCatalog, &conn, pParseCxt->pUser, dbFname, type, &pass); + code = catalogChkAuth(pParseCxt->pCatalog, &conn, &authInfo, &authRes); } return TSDB_CODE_SUCCESS == code ? (pass ? TSDB_CODE_SUCCESS : TSDB_CODE_PAR_PERMISSION_DENIED) : code; } diff --git a/source/libs/parser/src/parInsertSql.c b/source/libs/parser/src/parInsertSql.c index 3fbe23592a..dcc769624f 100644 --- a/source/libs/parser/src/parInsertSql.c +++ b/source/libs/parser/src/parInsertSql.c @@ -729,13 +729,20 @@ static int32_t checkAuth(SParseContext* pCxt, SName* pTbName, bool* pMissCache) bool pass = true; bool exists = true; if (pCxt->async) { - code = catalogChkAuthFromCache(pCxt->pCatalog, pCxt->pUser, dbFName, AUTH_TYPE_WRITE, &pass, &exists); + SUserAuthInfo authInfo = {0}; + SUserAuthRes authRes = {0}; +// code = catalogChkAuthFromCache(pCxt->pCatalog, pCxt->pUser, dbFName, AUTH_TYPE_WRITE, &pass, &exists); + code = catalogChkAuthFromCache(pCxt->pCatalog, &authInfo, &authRes, &exists); } else { SRequestConnInfo conn = {.pTrans = pCxt->pTransporter, .requestId = pCxt->requestId, .requestObjRefId = pCxt->requestRid, .mgmtEps = pCxt->mgmtEpSet}; - code = catalogChkAuth(pCxt->pCatalog, &conn, pCxt->pUser, dbFName, AUTH_TYPE_WRITE, &pass); + SUserAuthInfo authInfo = {0}; + SUserAuthRes authRes = {0}; + //code = catalogChkAuth(pCxt->pCatalog, &conn, pCxt->pUser, dbFName, AUTH_TYPE_WRITE, &pass); + code = catalogChkAuth(pCxt->pCatalog, &conn, &authInfo, &authRes); + } if (TSDB_CODE_SUCCESS == code) { if (!exists) { @@ -1901,7 +1908,7 @@ static int32_t buildInsertUserAuthReq(const char* pUser, SName* pName, SArray** SUserAuthInfo userAuth = {.type = AUTH_TYPE_WRITE}; snprintf(userAuth.user, sizeof(userAuth.user), "%s", pUser); - tNameGetFullDbName(pName, userAuth.dbFName); + //tNameGetFullDbName(pName, userAuth.dbFName); taosArrayPush(*pUserAuth, &userAuth); return TSDB_CODE_SUCCESS; diff --git a/source/libs/parser/src/parUtil.c b/source/libs/parser/src/parUtil.c index 563bc5e780..5c56d11b52 100644 --- a/source/libs/parser/src/parUtil.c +++ b/source/libs/parser/src/parUtil.c @@ -509,7 +509,7 @@ static void stringToUserAuth(const char* pStr, int32_t len, SUserAuthInfo* pUser strncpy(pUserAuth->user, pStr, p1 - pStr); ++p1; char* p2 = strchr(p1, '*'); - strncpy(pUserAuth->dbFName, p1, p2 - p1); + //strncpy(pUserAuth->dbFName, p1, p2 - p1); ++p2; char buf[10] = {0}; strncpy(buf, p2, len - (p2 - pStr)); @@ -712,7 +712,8 @@ static int32_t putUserAuthToCache(const SArray* pUserAuthReq, const SArray* pUse for (int32_t i = 0; i < nvgs; ++i) { SUserAuthInfo* pUser = taosArrayGet(pUserAuthReq, i); char key[USER_AUTH_KEY_MAX_LEN] = {0}; - int32_t len = userAuthToStringExt(pUser->user, pUser->dbFName, pUser->type, key); + //int32_t len = userAuthToStringExt(pUser->user, pUser->dbFName, pUser->type, key); + int32_t len = 0; if (TSDB_CODE_SUCCESS != putMetaDataToHash(key, len, pUserAuthData, i, pUserAuth)) { return TSDB_CODE_OUT_OF_MEMORY; } diff --git a/source/libs/parser/test/mockCatalog.cpp b/source/libs/parser/test/mockCatalog.cpp index 1af214bfb4..be4f3cd80b 100644 --- a/source/libs/parser/test/mockCatalog.cpp +++ b/source/libs/parser/test/mockCatalog.cpp @@ -279,15 +279,13 @@ int32_t __catalogGetDBCfg(SCatalog* pCtg, SRequestConnInfo* pConn, const char* d return g_mockCatalogService->catalogGetDBCfg(dbFName, pDbCfg); } -int32_t __catalogChkAuth(SCatalog* pCtg, SRequestConnInfo* pConn, const char* user, const char* dbFName, AUTH_TYPE type, - bool* pass) { - *pass = true; +int32_t __catalogChkAuth(SCatalog* pCtg, SRequestConnInfo* pConn, SUserAuthInfo *pAuth, SUserAuthRes* pRes) { + pRes->pass = true; return 0; } -int32_t __catalogChkAuthFromCache(SCatalog* pCtg, const char* user, const char* dbFName, AUTH_TYPE type, bool* pass, - bool* exists) { - *pass = true; +int32_t __catalogChkAuthFromCache(SCatalog* pCtg, SUserAuthInfo *pAuth, SUserAuthRes* pRes, bool* exists) { + pRes->pass = true; *exists = true; return 0; } -- GitLab