feat: table level user auth

include/libs/catalog/catalog.h

@@ -29,6 +29,7 @@ extern "C" {
 #include "tmsg.h"
 #include "tname.h"
 #include "transport.h"
+#include "nodes.h"
 
 typedef struct SCatalog SCatalog;
 
@@ -49,10 +50,15 @@ typedef enum {
 
 typedef struct SUserAuthInfo {
   char      user[TSDB_USER_LEN];
-  char      dbFName[TSDB_DB_FNAME_LEN];
+  SName     tbName;
   AUTH_TYPE type;
 } SUserAuthInfo;
 
+typedef struct SUserAuthRes {
+  bool   pass;
+  SNode* pCond;
+} SUserAuthRes;
+
 typedef struct SDbInfo {
   int32_t vgVer;
   int32_t tbNum;
@@ -96,7 +102,7 @@ typedef struct SMetaData {
   SArray*   pTableIndex;  // pRes = SArray<STableIndexInfo>*
   SArray*   pUdfList;     // pRes = SFuncInfo*
   SArray*   pIndex;       // pRes = SIndexInfo*
-  SArray*   pUser;        // pRes = bool*
+  SArray*   pUser;        // pRes = SUserAuthRes*
   SArray*   pQnodeList;   // pRes = SArray<SQueryNodeLoad>*
   SArray*   pTableCfg;    // pRes = STableCfg*
   SArray*   pDnodeList;   // pRes = SArray<SEpSet>*
@@ -312,11 +318,9 @@ int32_t catalogUpdateTableIndex(SCatalog* pCtg, STableIndexRsp* pRsp);
 
 int32_t catalogGetUdfInfo(SCatalog* pCtg, SRequestConnInfo* pConn, const char* funcName, SFuncInfo* pInfo);
 
-int32_t catalogChkAuth(SCatalog* pCtg, SRequestConnInfo* pConn, const char* user, const char* dbFName, AUTH_TYPE type,
-                       bool* pass);
+int32_t catalogChkAuth(SCatalog* pCtg, SRequestConnInfo* pConn, SUserAuthInfo *pAuth, SUserAuthRes* pRes);
 
-int32_t catalogChkAuthFromCache(SCatalog* pCtg, const char* user, const char* dbFName, AUTH_TYPE type, bool* pass,
-                                bool* exists);
+int32_t catalogChkAuthFromCache(SCatalog* pCtg, SUserAuthInfo *pAuth,        SUserAuthRes* pRes, bool* exists);
 
 int32_t catalogUpdateUserAuthInfo(SCatalog* pCtg, SGetUserAuthRsp* pAuth);
 

source/libs/catalog/CMakeLists.txt

@@ -8,9 +8,9 @@ target_include_directories(
 
 target_link_libraries(
    catalog
-   PRIVATE os util transport qcom
+   PRIVATE os util transport qcom nodes
 )
 
 if(${BUILD_TEST})
     ADD_SUBDIRECTORY(test)
-endif(${BUILD_TEST})
+endif(${BUILD_TEST})
\ No newline at end of file

source/libs/catalog/inc/catalogInt.h

@@ -99,6 +99,20 @@ typedef struct SCtgDebug {
   uint32_t showCachePeriodSec;
 } SCtgDebug;
 
+typedef struct SCtgAuthReq {
+  SRequestConnInfo* pConn;
+  SUserAuthInfo*    pRawReq;
+  SGetUserAuthRsp   authInfo;
+  AUTH_TYPE         singleType;
+  bool              onlyCache;
+} SCtgAuthReq;
+
+typedef struct SCtgAuthRsp {
+  SUserAuthRes* pRawRes;
+  bool          metaNotExists;
+} SCtgAuthRsp;
+
+
 typedef struct SCtgTbCacheInfo {
   bool     inCache;
   uint64_t dbId;
@@ -214,12 +228,8 @@ typedef struct SCtgRentMgmt {
 } SCtgRentMgmt;
 
 typedef struct SCtgUserAuth {
-  int32_t   version;
-  SRWLatch  lock;
-  bool      superUser;
-  SHashObj* createdDbs;
-  SHashObj* readDbs;
-  SHashObj* writeDbs;
+  SRWLatch        lock;
+  SGetUserAuthRsp userAuth;
 } SCtgUserAuth;
 
 typedef struct SCatalog {
@@ -703,7 +713,7 @@ int32_t ctgTbMetaExistInCache(SCatalog* pCtg, char* dbFName, char* tbName, int32
 int32_t ctgReadTbMetaFromCache(SCatalog* pCtg, SCtgTbMetaCtx* ctx, STableMeta** pTableMeta);
 int32_t ctgReadTbVerFromCache(SCatalog* pCtg, SName* pTableName, int32_t* sver, int32_t* tver, int32_t* tbType,
                               uint64_t* suid, char* stbName);
-int32_t ctgChkAuthFromCache(SCatalog* pCtg, char* user, char* dbFName, AUTH_TYPE type, bool* inCache, bool* pass);
+int32_t ctgChkAuthFromCache(SCatalog *pCtg, SUserAuthInfo *pReq, bool *inCache, SCtgAuthRsp* pRes);
 int32_t ctgDropDbCacheEnqueue(SCatalog* pCtg, const char* dbFName, int64_t dbId);
 int32_t ctgDropDbVgroupEnqueue(SCatalog* pCtg, const char* dbFName, bool syncReq);
 int32_t ctgDropStbMetaEnqueue(SCatalog* pCtg, const char* dbFName, int64_t dbId, const char* stbName, uint64_t suid,
@@ -806,6 +816,7 @@ int32_t ctgAcquireVgMetaFromCache(SCatalog *pCtg, const char *dbFName, const cha
 int32_t ctgCopyTbMeta(SCatalog *pCtg, SCtgTbMetaCtx *ctx, SCtgDBCache **pDb, SCtgTbCache **pTb, STableMeta **pTableMeta, char* dbFName);
 void    ctgReleaseVgMetaToCache(SCatalog *pCtg, SCtgDBCache *dbCache, SCtgTbCache *pCache);
 void    ctgReleaseTbMetaToCache(SCatalog *pCtg, SCtgDBCache *dbCache, SCtgTbCache *pCache);
+int32_t ctgChkSetAuthRes(SCatalog *pCtg, SCtgAuthReq *req, SCtgAuthRsp* res);
 
 extern SCatalogMgmt gCtgMgmt;
 extern SCtgDebug    gCTGDebug;

source/libs/catalog/src/catalog.c

@@ -319,14 +319,13 @@ _return:
   CTG_RET(code);
 }
 
-int32_t ctgChkAuth(SCatalog* pCtg, SRequestConnInfo* pConn, const char* user, const char* dbFName, AUTH_TYPE type,
-                   bool* pass, bool* exists) {
+int32_t ctgChkAuth(SCatalog* pCtg, SRequestConnInfo* pConn, SUserAuthInfo *pReq, SUserAuthRes* pRes, bool* exists) {
   bool    inCache = false;
   int32_t code = 0;
+  SCtgAuthRsp rsp = {0};
+  rsp.pRawRes = pRes;
 
-  *pass = false;
-
-  CTG_ERR_RET(ctgChkAuthFromCache(pCtg, (char*)user, (char*)dbFName, type, &inCache, pass));
+  CTG_ERR_RET(ctgChkAuthFromCache(pCtg, pReq, &inCache, &rsp));
 
   if (inCache) {
     if (exists) {
@@ -339,30 +338,22 @@ int32_t ctgChkAuth(SCatalog* pCtg, SRequestConnInfo* pConn, const char* user, co
     return TSDB_CODE_SUCCESS;
   }
 
-  SGetUserAuthRsp authRsp = {0};
-  CTG_ERR_RET(ctgGetUserDbAuthFromMnode(pCtg, pConn, user, &authRsp, NULL));
-
-  if (authRsp.superAuth) {
-    *pass = true;
-    goto _return;
-  }
-
-  if (authRsp.createdDbs && taosHashGet(authRsp.createdDbs, dbFName, strlen(dbFName))) {
-    *pass = true;
-    goto _return;
-  }
+  SCtgAuthReq req = {0};
+  req.pRawReq = pReq;
+  req.pConn = pConn;
+  req.onlyCache = exists ? true : false;
+  CTG_ERR_RET(ctgGetUserDbAuthFromMnode(pCtg, pConn, pReq->user, &req.authInfo, NULL));
 
-  if (CTG_AUTH_READ(type) && authRsp.readDbs && taosHashGet(authRsp.readDbs, dbFName, strlen(dbFName))) {
-    *pass = true;
-  } else if (CTG_AUTH_WRITE(type) && authRsp.writeDbs && taosHashGet(authRsp.writeDbs, dbFName, strlen(dbFName))) {
-    *pass = true;
+  CTG_ERR_JRET(ctgChkSetAuthRes(pCtg, &req, &rsp));
+  if (rsp.metaNotExists && exists) {
+    *exists = false;
   }
 
 _return:
 
-  ctgUpdateUserEnqueue(pCtg, &authRsp, false);
+  ctgUpdateUserEnqueue(pCtg, &req.authInfo, false);
 
-  return TSDB_CODE_SUCCESS;
+  CTG_RET(code);
 }
 
 int32_t ctgGetTbType(SCatalog* pCtg, SRequestConnInfo* pConn, SName* pTableName, int32_t* tbType) {
@@ -1368,7 +1359,7 @@ int32_t catalogGetExpiredUsers(SCatalog* pCtg, SUserAuthVersion** users, uint32_
     void*  key = taosHashGetKey(pAuth, &len);
     strncpy((*users)[i].user, key, len);
     (*users)[i].user[len] = 0;
-    (*users)[i].version = pAuth->version;
+    (*users)[i].version = pAuth->userAuth.version;
     ++i;
     if (i >= *num) {
       taosHashCancelIterate(pCtg->userCache, pAuth);
@@ -1448,32 +1439,30 @@ _return:
   CTG_API_LEAVE(code);
 }
 
-int32_t catalogChkAuth(SCatalog* pCtg, SRequestConnInfo* pConn, const char* user, const char* dbFName, AUTH_TYPE type,
-                       bool* pass) {
+int32_t catalogChkAuth(SCatalog* pCtg, SRequestConnInfo* pConn, SUserAuthInfo *pAuth, SUserAuthRes* pRes) {
   CTG_API_ENTER();
 
-  if (NULL == pCtg || NULL == pConn || NULL == user || NULL == dbFName || NULL == pass) {
+  if (NULL == pCtg || NULL == pConn || NULL == pAuth || NULL == pRes) {
     CTG_API_LEAVE(TSDB_CODE_CTG_INVALID_INPUT);
   }
 
   int32_t code = 0;
-  CTG_ERR_JRET(ctgChkAuth(pCtg, pConn, user, dbFName, type, pass, NULL));
+  CTG_ERR_JRET(ctgChkAuth(pCtg, pConn, pAuth, pRes, NULL));
 
 _return:
 
   CTG_API_LEAVE(code);
 }
 
-int32_t catalogChkAuthFromCache(SCatalog* pCtg, const char* user, const char* dbFName, AUTH_TYPE type,
-                                        bool* pass, bool* exists) {
+int32_t catalogChkAuthFromCache(SCatalog* pCtg, SUserAuthInfo *pAuth,        SUserAuthRes* pRes, bool* exists) {
   CTG_API_ENTER();
 
-  if (NULL == pCtg || NULL == user || NULL == dbFName || NULL == pass || NULL == exists) {
+  if (NULL == pCtg || NULL == pAuth || NULL == pRes || NULL == exists) {
     CTG_API_LEAVE(TSDB_CODE_CTG_INVALID_INPUT);
   }
 
   int32_t code = 0;
-  CTG_ERR_JRET(ctgChkAuth(pCtg, NULL, user, dbFName, type, pass, exists));
+  CTG_ERR_JRET(ctgChkAuth(pCtg, NULL, pAuth, pRes, exists));
 
 _return:
 

source/libs/catalog/src/ctgAsync.c

@@ -1550,45 +1550,20 @@ _return:
 int32_t ctgHandleGetUserRsp(SCtgTaskReq* tReq, int32_t reqType, const SDataBuf* pMsg, int32_t rspCode) {
   int32_t          code = 0;
   SCtgTask*        pTask = tReq->pTask;
-  SCtgUserCtx*     ctx = (SCtgUserCtx*)pTask->taskCtx;
   SCatalog*        pCtg = pTask->pJob->pCtg;
-  bool             pass = false;
   SGetUserAuthRsp* pOut = (SGetUserAuthRsp*)pTask->msgCtx.out;
 
   CTG_ERR_JRET(ctgProcessRspMsg(pTask->msgCtx.out, reqType, pMsg->pData, pMsg->len, rspCode, pTask->msgCtx.target));
 
-  if (pOut->superAuth) {
-    pass = true;
-    goto _return;
-  }
+  ctgUpdateUserEnqueue(pCtg, pOut, true);
+  taosMemoryFreeClear(pTask->msgCtx.out);
 
-  if (pOut->createdDbs && taosHashGet(pOut->createdDbs, ctx->user.dbFName, strlen(ctx->user.dbFName))) {
-    pass = true;
-    goto _return;
-  }
+  CTG_ERR_JRET((*gCtgAsyncFps[pTask->type].launchFp)(pTask));
 
-  if (CTG_AUTH_READ(ctx->user.type) && pOut->readDbs &&
-      taosHashGet(pOut->readDbs, ctx->user.dbFName, strlen(ctx->user.dbFName))) {
-    pass = true;
-  } else if (CTG_AUTH_WRITE(ctx->user.type) && pOut->writeDbs &&
-             taosHashGet(pOut->writeDbs, ctx->user.dbFName, strlen(ctx->user.dbFName))) {
-    pass = true;
-  }
+  return TSDB_CODE_SUCCESS;
 
 _return:
 
-  if (TSDB_CODE_SUCCESS == code) {
-    pTask->res = taosMemoryCalloc(1, sizeof(bool));
-    if (NULL == pTask->res) {
-      code = TSDB_CODE_OUT_OF_MEMORY;
-    } else {
-      *(bool*)pTask->res = pass;
-    }
-  }
-
-  ctgUpdateUserEnqueue(pCtg, pOut, false);
-  taosMemoryFreeClear(pTask->msgCtx.out);
-
   ctgHandleTaskEnd(pTask, code);
 
   CTG_RET(code);
@@ -2067,31 +2042,39 @@ int32_t ctgLaunchGetUdfTask(SCtgTask* pTask) {
 }
 
 int32_t ctgLaunchGetUserTask(SCtgTask* pTask) {
+  int32_t           code = 0;
   SCatalog*         pCtg = pTask->pJob->pCtg;
   SRequestConnInfo* pConn = &pTask->pJob->conn;
   SCtgUserCtx*      pCtx = (SCtgUserCtx*)pTask->taskCtx;
   bool              inCache = false;
-  bool              pass = false;
+  SCtgAuthRsp       rsp = {0};
   SCtgJob*          pJob = pTask->pJob;
   SCtgMsgCtx*       pMsgCtx = CTG_GET_TASK_MSGCTX(pTask, -1);
   if (NULL == pMsgCtx->pBatchs) {
     pMsgCtx->pBatchs = pJob->pBatchs;
   }
 
-  CTG_ERR_RET(ctgChkAuthFromCache(pCtg, pCtx->user.user, pCtx->user.dbFName, pCtx->user.type, &inCache, &pass));
+  rsp.pRawRes = taosMemoryCalloc(1, sizeof(SUserAuthRes));
+  if (NULL == rsp.pRawRes) {
+    CTG_ERR_RET(TSDB_CODE_OUT_OF_MEMORY);
+  }
+  
+  CTG_ERR_RET(ctgChkAuthFromCache(pCtg, &pCtx->user, &inCache, &rsp));
   if (inCache) {
-    pTask->res = taosMemoryCalloc(1, sizeof(bool));
-    if (NULL == pTask->res) {
-      CTG_ERR_RET(TSDB_CODE_OUT_OF_MEMORY);
-    }
-    *(bool*)pTask->res = pass;
+    pTask->res = rsp.pRawRes;
 
     CTG_ERR_RET(ctgHandleTaskEnd(pTask, 0));
     return TSDB_CODE_SUCCESS;
   }
 
-  CTG_ERR_RET(ctgGetUserDbAuthFromMnode(pCtg, pConn, pCtx->user.user, NULL, pTask));
+  taosMemoryFreeClear(rsp.pRawRes);
 
+  if (rsp.metaNotExists) {
+    CTG_ERR_RET(ctgLaunchSubTask(pTask, CTG_TASK_GET_TB_META, ctgGetTbCfgCb, &pCtx->user.tbName));
+  } else {
+    CTG_ERR_RET(ctgGetUserDbAuthFromMnode(pCtg, pConn, pCtx->user.user, NULL, pTask));
+  }
+  
   return TSDB_CODE_SUCCESS;
 }
 
@@ -2139,6 +2122,20 @@ _return:
   CTG_RET(ctgHandleTaskEnd(pTask, pTask->subRes.code));
 }
 
+
+int32_t ctgGetUserCb(SCtgTask* pTask) {
+  int32_t code = 0;
+
+  CTG_ERR_JRET(pTask->subRes.code);
+
+  CTG_RET(ctgLaunchGetUserTask(pTask));
+
+_return:
+
+  CTG_RET(ctgHandleTaskEnd(pTask, pTask->subRes.code));
+}
+
+
 int32_t ctgCompDbVgTasks(SCtgTask* pTask, void* param, bool* equal) {
   SCtgDbVgCtx* ctx = pTask->taskCtx;
 

source/libs/catalog/src/ctgCache.c

@@ -678,55 +678,40 @@ _return:
   CTG_RET(code);
 }
 
-int32_t ctgChkAuthFromCache(SCatalog *pCtg, char *user, char *dbFName, AUTH_TYPE type, bool *inCache, bool *pass) {
-  char *p = strchr(dbFName, '.');
-  if (p) {
-    ++p;
-  } else {
-    p = dbFName;
-  }
-
-  if (IS_SYS_DBNAME(p)) {
+int32_t ctgChkAuthFromCache(SCatalog *pCtg, SUserAuthInfo *pReq, bool *inCache, SCtgAuthRsp* pRes) {
+  if (IS_SYS_DBNAME(pReq->tbName.dbname)) {
     *inCache = true;
-    *pass = true;
-    ctgDebug("sysdb %s, pass", dbFName);
+    pRes->pRawRes->pass = true;
+    ctgDebug("sysdb %s, pass", pReq->tbName.dbname);
     return TSDB_CODE_SUCCESS;
   }
 
-  SCtgUserAuth *pUser = (SCtgUserAuth *)taosHashGet(pCtg->userCache, user, strlen(user));
+  SCtgUserAuth *pUser = (SCtgUserAuth *)taosHashGet(pCtg->userCache, pReq->user, strlen(pReq->user));
   if (NULL == pUser) {
-    ctgDebug("user not in cache, user:%s", user);
+    ctgDebug("user not in cache, user:%s", pReq->user);
     goto _return;
   }
 
   *inCache = true;
 
-  ctgDebug("Got user from cache, user:%s", user);
+  ctgDebug("Got user from cache, user:%s", pReq->user);
   CTG_CACHE_STAT_INC(numOfUserHit, 1);
 
-  if (pUser->superUser) {
-    *pass = true;
-    return TSDB_CODE_SUCCESS;
-  }
+  SCtgAuthReq req = {0};
+  req.pRawReq = pReq;
+  req.onlyCache = true;
 
   CTG_LOCK(CTG_READ, &pUser->lock);
-  if (pUser->createdDbs && taosHashGet(pUser->createdDbs, dbFName, strlen(dbFName))) {
-    *pass = true;
-    CTG_UNLOCK(CTG_READ, &pUser->lock);
-    return TSDB_CODE_SUCCESS;
-  }
-
-  if (pUser->readDbs && taosHashGet(pUser->readDbs, dbFName, strlen(dbFName)) && CTG_AUTH_READ(type)) {
-    *pass = true;
-  }
-
-  if (pUser->writeDbs && taosHashGet(pUser->writeDbs, dbFName, strlen(dbFName)) && CTG_AUTH_WRITE(type)) {
-    *pass = true;
-  }
-
+  memcpy(&req.authInfo, &pUser->userAuth, sizeof(pUser->userAuth));
+  int32_t code = ctgChkSetAuthRes(pCtg, &req, pRes);
   CTG_UNLOCK(CTG_READ, &pUser->lock);
+  CTG_ERR_JRET(code);
+  
+  if (pRes->metaNotExists) {
+    goto _return;
+  }
 
-  return TSDB_CODE_SUCCESS;
+  CTG_RET(code);
 
 _return:
 
@@ -2024,11 +2009,7 @@ int32_t ctgOpUpdateUser(SCtgCacheOperation *operation) {
   if (NULL == pUser) {
     SCtgUserAuth userAuth = {0};
 
-    userAuth.version = msg->userAuth.version;
-    userAuth.superUser = msg->userAuth.superAuth;
-    userAuth.createdDbs = msg->userAuth.createdDbs;
-    userAuth.readDbs = msg->userAuth.readDbs;
-    userAuth.writeDbs = msg->userAuth.writeDbs;
+    memcpy(&userAuth.userAuth, &msg->userAuth, sizeof(msg->userAuth));
 
     if (taosHashPut(pCtg->userCache, msg->userAuth.user, strlen(msg->userAuth.user), &userAuth, sizeof(userAuth))) {
       ctgError("taosHashPut user %s to cache failed", msg->userAuth.user);
@@ -2040,20 +2021,18 @@ int32_t ctgOpUpdateUser(SCtgCacheOperation *operation) {
     return TSDB_CODE_SUCCESS;
   }
 
-  pUser->version = msg->userAuth.version;
-
   CTG_LOCK(CTG_WRITE, &pUser->lock);
 
-  taosHashCleanup(pUser->createdDbs);
-  pUser->createdDbs = msg->userAuth.createdDbs;
+  taosHashCleanup(pUser->userAuth.createdDbs);
+  pUser->userAuth.createdDbs = msg->userAuth.createdDbs;
   msg->userAuth.createdDbs = NULL;
 
-  taosHashCleanup(pUser->readDbs);
-  pUser->readDbs = msg->userAuth.readDbs;
+  taosHashCleanup(pUser->userAuth.readDbs);
+  pUser->userAuth.readDbs = msg->userAuth.readDbs;
   msg->userAuth.readDbs = NULL;
 
-  taosHashCleanup(pUser->writeDbs);
-  pUser->writeDbs = msg->userAuth.writeDbs;
+  taosHashCleanup(pUser->userAuth.writeDbs);
+  pUser->userAuth.writeDbs = msg->userAuth.writeDbs;
   msg->userAuth.writeDbs = NULL;
 
   CTG_UNLOCK(CTG_WRITE, &pUser->lock);

source/libs/catalog/src/ctgUtil.c

@@ -174,9 +174,11 @@ void ctgFreeSMetaData(SMetaData* pData) {
 }
 
 void ctgFreeSCtgUserAuth(SCtgUserAuth* userCache) {
-  taosHashCleanup(userCache->createdDbs);
-  taosHashCleanup(userCache->readDbs);
-  taosHashCleanup(userCache->writeDbs);
+  taosHashCleanup(userCache->userAuth.createdDbs);
+  taosHashCleanup(userCache->userAuth.readDbs);
+  taosHashCleanup(userCache->userAuth.writeDbs);
+  taosHashCleanup(userCache->userAuth.readTbs);
+  taosHashCleanup(userCache->userAuth.writeTbs);
 }
 
 void ctgFreeMetaRent(SCtgRentMgmt* mgmt) {
@@ -1330,6 +1332,131 @@ static void* ctgCloneDnodeList(void* pSrc) { return taosArrayDup((const SArray*)
 
 static void ctgFreeDnodeList(void* p) { taosArrayDestroy((SArray*)((SMetaRes*)p)->pRes); }
 
+int32_t ctgChkSetTbAuthRes(SCatalog *pCtg, SCtgAuthReq *req, SCtgAuthRsp* res) {
+  int32_t code = 0;
+  STableMeta *pMeta = NULL;
+  SGetUserAuthRsp *pInfo = &req->authInfo;
+  SHashObj *pTbs = (AUTH_TYPE_READ == req->singleType) ? pInfo->readTbs : pInfo->writeTbs;
+  
+  char *pCond = taosHashGet(pTbs, req->pRawReq->tbName.tname, strlen(req->pRawReq->tbName.tname));
+  if (pCond) {
+    if (strlen(pCond) > 1) {
+      CTG_RET(nodesStringToNode(pCond, &res->pRawRes->pCond));
+    }
+    
+    res->pRawRes->pass = true;
+    return TSDB_CODE_SUCCESS;
+  }
+
+  CTG_ERR_RET(catalogGetCachedTableMeta(pCtg, &req->pRawReq->tbName, &pMeta));
+  if (NULL == pMeta) {
+    if (req->onlyCache) {
+      res->metaNotExists = true;
+      ctgDebug("db %s tb %s meta not in cache for auth", req->pRawReq->tbName.dbname, req->pRawReq->tbName.tname);
+      return TSDB_CODE_SUCCESS;
+    }
+
+    CTG_ERR_RET(catalogGetTableMeta(pCtg, req->pConn, &req->pRawReq->tbName, &pMeta));
+  }
+
+  if (TSDB_SUPER_TABLE == pMeta->tableType || TSDB_NORMAL_TABLE == pMeta->tableType) {
+    res->pRawRes->pass = false;
+    goto _return;
+  }
+
+  if (TSDB_CHILD_TABLE == pMeta->tableType) {
+    res->pRawRes->pass = true;
+
+/*  
+    char stbName[TSDB_TABLE_NAME_LEN] = {0};
+    CTG_ERR_JRET(ctgGetCachedStbNameFromSuid(pCtg, pMeta->suid, stbName));
+    if (0 == stbName[0]) {
+      if (req->onlyCache) {
+        res->notExists = true;
+        return TSDB_CODE_SUCCESS;
+      }
+      
+      CTG_ERR_RET(catalogRefreshTableMeta(pCtg, req->pConn, &req->pRawReq->tbName, 0));
+    }
+*/    
+  }
+
+_return:
+
+  taosMemoryFree(pMeta);
+  
+  CTG_RET(code);
+}
+
+int32_t ctgChkSetAuthRes(SCatalog *pCtg, SCtgAuthReq *req, SCtgAuthRsp* res) {
+  int32_t code = 0;
+  SUserAuthInfo* pReq = req->pRawReq;  
+  SUserAuthRes* pRes = res->pRawRes;
+  SGetUserAuthRsp *pInfo = &req->authInfo;
+  
+  pRes->pass = false;
+  pRes->pCond = NULL;  
+
+  if (!pInfo->enable) {
+    pRes->pass = false;
+    return TSDB_CODE_SUCCESS;
+  }
+
+  if (pInfo->superAuth) {
+    pRes->pass = true;
+    return TSDB_CODE_SUCCESS;
+  }
+
+  char dbFName[TSDB_DB_FNAME_LEN];
+  tNameGetFullDbName(&pReq->tbName, dbFName);
+
+  if (pInfo->createdDbs && taosHashGet(pInfo->createdDbs, dbFName, strlen(dbFName))) {
+    pRes->pass = true;
+    return TSDB_CODE_SUCCESS;
+  }
+
+  switch (pReq->type) {
+    case AUTH_TYPE_READ: {
+      if (pInfo->readDbs && taosHashGet(pInfo->readDbs, dbFName, strlen(dbFName))) {
+        pRes->pass = true;
+        return TSDB_CODE_SUCCESS;
+      }
+      if (pInfo->readTbs && taosHashGetSize(pInfo->readTbs) > 0) {
+        req->singleType = AUTH_TYPE_READ;
+        CTG_RET(ctgChkSetTbAuthRes(pCtg, req, res));
+      }
+      
+      break;
+    }
+    case AUTH_TYPE_WRITE: {
+      if (pInfo->writeDbs && taosHashGet(pInfo->writeDbs, dbFName, strlen(dbFName))) {
+        pRes->pass = true;
+        return TSDB_CODE_SUCCESS;
+      }
+      if (pInfo->writeTbs && taosHashGetSize(pInfo->writeTbs) > 0) {
+        req->singleType = AUTH_TYPE_WRITE;
+        CTG_RET(ctgChkSetTbAuthRes(pCtg, req, res));
+      }
+      
+      break;
+    }
+    case AUTH_TYPE_READ_OR_WRITE: {
+      if ((pInfo->readDbs && taosHashGet(pInfo->readDbs, dbFName, strlen(dbFName))) ||
+           (pInfo->writeDbs && taosHashGet(pInfo->writeDbs, dbFName, strlen(dbFName)))){
+        pRes->pass = true;
+        return TSDB_CODE_SUCCESS;
+      }
+     
+      break;
+    }
+    default:
+      break;
+  }
+
+  return TSDB_CODE_SUCCESS;
+}
+
+
 #if 0
 static int32_t ctgCloneMetaDataArray(SArray* pSrc, __array_item_dup_fn_t copyFunc, SArray** pDst) {
   if (NULL == pSrc) {

source/libs/catalog/test/catalogTests.cpp

@@ -2800,15 +2800,19 @@ TEST(apiTest, catalogChkAuth_test) {
   code = catalogGetHandle(ctgTestClusterId, &pCtg);
   ASSERT_EQ(code, 0);
 
-  bool pass = false;
+  SUserAuthInfo authInfo = {0};
+  SUserAuthRes authRes = {0};
+  strcpy(authInfo.user, ctgTestUsername);
+  toName(1, ctgTestDbname, ctgTestSTablename, &authInfo.tbName);
+  authInfo.type = AUTH_TYPE_READ;
   bool exists = false;
-  code = catalogChkAuthFromCache(pCtg, ctgTestUsername, ctgTestDbname, AUTH_TYPE_READ, &pass, &exists);
+  code = catalogChkAuthFromCache(pCtg, &authInfo, &authRes, &exists);
   ASSERT_EQ(code, 0);
   ASSERT_EQ(exists, false);
-  
-  code = catalogChkAuth(pCtg, mockPointer, ctgTestUsername, ctgTestDbname, AUTH_TYPE_READ, &pass);
+
+  code = catalogChkAuth(pCtg, mockPointer, &authInfo, &authRes);
   ASSERT_EQ(code, 0);
-  ASSERT_EQ(pass, true);
+  ASSERT_EQ(authRes.pass, true);
 
   while (true) {
     uint64_t n = 0;
@@ -2820,9 +2824,9 @@ TEST(apiTest, catalogChkAuth_test) {
     }
   }
 
-  code = catalogChkAuthFromCache(pCtg, ctgTestUsername, ctgTestDbname, AUTH_TYPE_READ, &pass, &exists);
+  code = catalogChkAuthFromCache(pCtg, &authInfo, &authRes, &exists);
   ASSERT_EQ(code, 0);
-  ASSERT_EQ(pass, true);
+  ASSERT_EQ(authRes.pass, true);
   ASSERT_EQ(exists, true);
 
   catalogDestroy();

source/libs/parser/src/parAuthenticator.c

@@ -44,7 +44,10 @@ static int32_t checkAuth(SAuthCxt* pCxt, const char* pDbName, AUTH_TYPE type) {
                              .requestObjRefId = pParseCxt->requestRid,
                              .mgmtEps = pParseCxt->mgmtEpSet};
 
-    code = catalogChkAuth(pParseCxt->pCatalog, &conn, pParseCxt->pUser, dbFname, type, &pass);
+    SUserAuthInfo authInfo = {0};
+    SUserAuthRes  authRes = {0};
+    //code = catalogChkAuth(pParseCxt->pCatalog, &conn, pParseCxt->pUser, dbFname, type, &pass);
+    code = catalogChkAuth(pParseCxt->pCatalog, &conn, &authInfo, &authRes);
   }
   return TSDB_CODE_SUCCESS == code ? (pass ? TSDB_CODE_SUCCESS : TSDB_CODE_PAR_PERMISSION_DENIED) : code;
 }

source/libs/parser/src/parInsertSql.c

@@ -729,13 +729,20 @@ static int32_t checkAuth(SParseContext* pCxt, SName* pTbName, bool* pMissCache)
   bool    pass = true;
   bool    exists = true;
   if (pCxt->async) {
-    code = catalogChkAuthFromCache(pCxt->pCatalog, pCxt->pUser, dbFName, AUTH_TYPE_WRITE, &pass, &exists);
+    SUserAuthInfo authInfo = {0};
+    SUserAuthRes  authRes = {0};
+//    code = catalogChkAuthFromCache(pCxt->pCatalog, pCxt->pUser, dbFName, AUTH_TYPE_WRITE, &pass, &exists);
+    code = catalogChkAuthFromCache(pCxt->pCatalog, &authInfo, &authRes, &exists);
   } else {
     SRequestConnInfo conn = {.pTrans = pCxt->pTransporter,
                              .requestId = pCxt->requestId,
                              .requestObjRefId = pCxt->requestRid,
                              .mgmtEps = pCxt->mgmtEpSet};
-    code = catalogChkAuth(pCxt->pCatalog, &conn, pCxt->pUser, dbFName, AUTH_TYPE_WRITE, &pass);
+    SUserAuthInfo authInfo = {0};
+    SUserAuthRes  authRes = {0};
+    //code = catalogChkAuth(pCxt->pCatalog, &conn, pCxt->pUser, dbFName, AUTH_TYPE_WRITE, &pass);
+    code = catalogChkAuth(pCxt->pCatalog, &conn, &authInfo, &authRes);
+
   }
   if (TSDB_CODE_SUCCESS == code) {
     if (!exists) {
@@ -1901,7 +1908,7 @@ static int32_t buildInsertUserAuthReq(const char* pUser, SName* pName, SArray**
 
   SUserAuthInfo userAuth = {.type = AUTH_TYPE_WRITE};
   snprintf(userAuth.user, sizeof(userAuth.user), "%s", pUser);
-  tNameGetFullDbName(pName, userAuth.dbFName);
+  //tNameGetFullDbName(pName, userAuth.dbFName);
   taosArrayPush(*pUserAuth, &userAuth);
 
   return TSDB_CODE_SUCCESS;

source/libs/parser/src/parUtil.c

@@ -509,7 +509,7 @@ static void stringToUserAuth(const char* pStr, int32_t len, SUserAuthInfo* pUser
   strncpy(pUserAuth->user, pStr, p1 - pStr);
   ++p1;
   char* p2 = strchr(p1, '*');
-  strncpy(pUserAuth->dbFName, p1, p2 - p1);
+  //strncpy(pUserAuth->dbFName, p1, p2 - p1);
   ++p2;
   char buf[10] = {0};
   strncpy(buf, p2, len - (p2 - pStr));
@@ -712,7 +712,8 @@ static int32_t putUserAuthToCache(const SArray* pUserAuthReq, const SArray* pUse
   for (int32_t i = 0; i < nvgs; ++i) {
     SUserAuthInfo* pUser = taosArrayGet(pUserAuthReq, i);
     char           key[USER_AUTH_KEY_MAX_LEN] = {0};
-    int32_t        len = userAuthToStringExt(pUser->user, pUser->dbFName, pUser->type, key);
+    //int32_t        len = userAuthToStringExt(pUser->user, pUser->dbFName, pUser->type, key);
+    int32_t        len = 0;
     if (TSDB_CODE_SUCCESS != putMetaDataToHash(key, len, pUserAuthData, i, pUserAuth)) {
       return TSDB_CODE_OUT_OF_MEMORY;
     }

source/libs/parser/test/mockCatalog.cpp

@@ -279,15 +279,13 @@ int32_t __catalogGetDBCfg(SCatalog* pCtg, SRequestConnInfo* pConn, const char* d
   return g_mockCatalogService->catalogGetDBCfg(dbFName, pDbCfg);
 }
 
-int32_t __catalogChkAuth(SCatalog* pCtg, SRequestConnInfo* pConn, const char* user, const char* dbFName, AUTH_TYPE type,
-                         bool* pass) {
-  *pass = true;
+int32_t __catalogChkAuth(SCatalog* pCtg, SRequestConnInfo* pConn, SUserAuthInfo *pAuth, SUserAuthRes* pRes) {
+  pRes->pass = true;
   return 0;
 }
 
-int32_t __catalogChkAuthFromCache(SCatalog* pCtg, const char* user, const char* dbFName, AUTH_TYPE type, bool* pass,
-                                  bool* exists) {
-  *pass = true;
+int32_t __catalogChkAuthFromCache(SCatalog* pCtg, SUserAuthInfo *pAuth,        SUserAuthRes* pRes, bool* exists) {
+  pRes->pass = true;
   *exists = true;
   return 0;
 }