提交 fb9b00ef 编写于 作者: S Shengliang Guan

check user auth

上级 cb012d5c
......@@ -135,7 +135,7 @@ typedef enum _mgmt_table {
#define TSDB_ALTER_USER_CLEAR_READ_DB 0x5
#define TSDB_ALTER_USER_ADD_WRITE_DB 0x6
#define TSDB_ALTER_USER_REMOVE_WRITE_DB 0x7
#define TSDB_ALTER_USER_CLEAR_WRITE_DB 0x7
#define TSDB_ALTER_USER_CLEAR_WRITE_DB 0x8
#define TSDB_ALTER_USER_PRIVILEGES 0x2
......
......@@ -25,6 +25,10 @@ extern "C" {
int32_t mndInitAuth(SMnode *pMnode);
void mndCleanupAuth(SMnode *pMnode);
int32_t mndCheckCreateUserAuth(SUserObj *pOperUser);
int32_t mndCheckAlterUserAuth(SUserObj *pOperUser, SUserObj *pUser, SDbObj *pDb, SAlterUserReq *pAlter);
int32_t mndCheckDropUserAuth(SUserObj *pOperUser);
#ifdef __cplusplus
}
#endif
......
......@@ -57,3 +57,56 @@ static int32_t mndProcessAuthReq(SMnodeMsg *pReq) {
mTrace("user:%s, auth req received, spi:%d encrypt:%d ruser:%s", pReq->user, pAuth->spi, pAuth->encrypt, pAuth->user);
return code;
}
int32_t mndCheckCreateUserAuth(SUserObj *pOperUser) {
if (pOperUser->superUser) {
return 0;
}
terrno = TSDB_CODE_MND_NO_RIGHTS;
return -1;
}
int32_t mndCheckAlterUserAuth(SUserObj *pOperUser, SUserObj *pUser, SDbObj *pDb, SAlterUserReq *pAlter) {
if (pAlter->alterType == TSDB_ALTER_USER_PASSWD) {
if (pOperUser->superUser || strcmp(pUser->user, pOperUser->user) == 0) {
return 0;
}
}
if (pAlter->alterType == TSDB_ALTER_USER_SUPERUSER) {
if (strcmp(pUser->user, TSDB_DEFAULT_USER) == 0) {
terrno = TSDB_CODE_MND_NO_RIGHTS;
return -1;
}
if (pOperUser->superUser) {
return 0;
}
}
if (pAlter->alterType == TSDB_ALTER_USER_CLEAR_WRITE_DB || pAlter->alterType == TSDB_ALTER_USER_CLEAR_READ_DB) {
if (pOperUser->superUser) {
return 0;
}
}
if (pAlter->alterType == TSDB_ALTER_USER_ADD_READ_DB || pAlter->alterType == TSDB_ALTER_USER_REMOVE_READ_DB ||
pAlter->alterType == TSDB_ALTER_USER_ADD_WRITE_DB || pAlter->alterType == TSDB_ALTER_USER_REMOVE_WRITE_DB) {
if (pOperUser->superUser || strcmp(pUser->user, pDb->createUser) == 0) {
return 0;
}
}
terrno = TSDB_CODE_MND_NO_RIGHTS;
return -1;
}
int32_t mndCheckDropUserAuth(SUserObj *pOperUser) {
if (pOperUser->superUser) {
return 0;
}
terrno = TSDB_CODE_MND_NO_RIGHTS;
return -1;
}
\ No newline at end of file
......@@ -15,6 +15,7 @@
#define _DEFAULT_SOURCE
#include "mndUser.h"
#include "mndAuth.h"
#include "mndDb.h"
#include "mndShow.h"
#include "mndTrans.h"
......@@ -29,7 +30,7 @@ static SSdbRow *mndUserActionDecode(SSdbRaw *pRaw);
static int32_t mndUserActionInsert(SSdb *pSdb, SUserObj *pUser);
static int32_t mndUserActionDelete(SSdb *pSdb, SUserObj *pUser);
static int32_t mndUserActionUpdate(SSdb *pSdb, SUserObj *pOld, SUserObj *pNew);
static int32_t mndCreateUser(SMnode *pMnode, char *acct, char *user, char *pass, SMnodeMsg *pReq);
static int32_t mndCreateUser(SMnode *pMnode, char *acct, SCreateUserReq *pCreate, SMnodeMsg *pReq);
static int32_t mndProcessCreateUserReq(SMnodeMsg *pReq);
static int32_t mndProcessAlterUserReq(SMnodeMsg *pReq);
static int32_t mndProcessDropUserReq(SMnodeMsg *pReq);
......@@ -96,7 +97,11 @@ static int32_t mndCreateDefaultUsers(SMnode *pMnode) {
static SSdbRaw *mndUserActionEncode(SUserObj *pUser) {
terrno = TSDB_CODE_OUT_OF_MEMORY;
SSdbRaw *pRaw = sdbAllocRaw(SDB_USER, TSDB_USER_VER_NUMBER, sizeof(SUserObj) + TSDB_USER_RESERVE_SIZE);
int32_t numOfReadDbs = taosHashGetSize(pUser->readDbs);
int32_t numOfWriteDbs = taosHashGetSize(pUser->writeDbs);
int32_t size = sizeof(SUserObj) + TSDB_USER_RESERVE_SIZE + (numOfReadDbs + numOfWriteDbs) * TSDB_DB_FNAME_LEN;
SSdbRaw *pRaw = sdbAllocRaw(SDB_USER, TSDB_USER_VER_NUMBER, size);
if (pRaw == NULL) goto USER_ENCODE_OVER;
int32_t dataPos = 0;
......@@ -106,9 +111,6 @@ static SSdbRaw *mndUserActionEncode(SUserObj *pUser) {
SDB_SET_INT64(pRaw, dataPos, pUser->createdTime, USER_ENCODE_OVER)
SDB_SET_INT64(pRaw, dataPos, pUser->updateTime, USER_ENCODE_OVER)
SDB_SET_INT8(pRaw, dataPos, pUser->superUser, USER_ENCODE_OVER)
int32_t numOfReadDbs = taosHashGetSize(pUser->readDbs);
int32_t numOfWriteDbs = taosHashGetSize(pUser->writeDbs);
SDB_SET_INT32(pRaw, dataPos, numOfReadDbs, USER_ENCODE_OVER)
SDB_SET_INT32(pRaw, dataPos, numOfWriteDbs, USER_ENCODE_OVER)
......@@ -257,21 +259,21 @@ void mndReleaseUser(SMnode *pMnode, SUserObj *pUser) {
sdbRelease(pSdb, pUser);
}
static int32_t mndCreateUser(SMnode *pMnode, char *acct, char *user, char *pass, SMnodeMsg *pReq) {
static int32_t mndCreateUser(SMnode *pMnode, char *acct, SCreateUserReq *pCreate, SMnodeMsg *pReq) {
SUserObj userObj = {0};
taosEncryptPass_c((uint8_t *)pass, strlen(pass), userObj.pass);
tstrncpy(userObj.user, user, TSDB_USER_LEN);
taosEncryptPass_c((uint8_t *)pCreate->pass, strlen(pCreate->pass), userObj.pass);
tstrncpy(userObj.user, pCreate->user, TSDB_USER_LEN);
tstrncpy(userObj.acct, acct, TSDB_USER_LEN);
userObj.createdTime = taosGetTimestampMs();
userObj.updateTime = userObj.createdTime;
userObj.superUser = 0;
userObj.superUser = pCreate->superUser;
STrans *pTrans = mndTransCreate(pMnode, TRN_POLICY_ROLLBACK, &pReq->rpcMsg);
if (pTrans == NULL) {
mError("user:%s, failed to create since %s", user, terrstr());
mError("user:%s, failed to create since %s", pCreate->user, terrstr());
return -1;
}
mDebug("trans:%d, used to create user:%s", pTrans->id, user);
mDebug("trans:%d, used to create user:%s", pTrans->id, pCreate->user);
SSdbRaw *pRedoRaw = mndUserActionEncode(&userObj);
if (pRedoRaw == NULL || mndTransAppendRedolog(pTrans, pRedoRaw) != 0) {
......@@ -324,7 +326,11 @@ static int32_t mndProcessCreateUserReq(SMnodeMsg *pReq) {
goto CREATE_USER_OVER;
}
code = mndCreateUser(pMnode, pOperUser->acct, createReq.user, createReq.pass, pReq);
if (mndCheckCreateUserAuth(pOperUser) != 0) {
goto CREATE_USER_OVER;
}
code = mndCreateUser(pMnode, pOperUser->acct, &createReq, pReq);
if (code == 0) code = TSDB_CODE_MND_ACTION_IN_PROGRESS;
CREATE_USER_OVER:
......@@ -391,6 +397,7 @@ static int32_t mndProcessAlterUserReq(SMnodeMsg *pReq) {
int32_t code = -1;
SUserObj *pUser = NULL;
SUserObj *pOperUser = NULL;
SUserObj newUser = {0};
SAlterUserReq alterReq = {0};
if (tDeserializeSAlterUserReq(pReq->rpcMsg.pCont, &alterReq) == NULL) goto ALTER_USER_OVER;
......@@ -419,7 +426,6 @@ static int32_t mndProcessAlterUserReq(SMnodeMsg *pReq) {
goto ALTER_USER_OVER;
}
SUserObj newUser = {0};
memcpy(&newUser, pUser, sizeof(SUserObj));
newUser.readDbs = mndDupDbHash(pUser->readDbs);
newUser.writeDbs = mndDupDbHash(pUser->writeDbs);
......@@ -476,17 +482,22 @@ static int32_t mndProcessAlterUserReq(SMnodeMsg *pReq) {
newUser.updateTime = taosGetTimestampMs();
if (mndCheckAlterUserAuth(pOperUser, pUser, pDb, &alterReq) != 0) {
goto ALTER_USER_OVER;
}
code = mndUpdateUser(pMnode, pUser, &newUser, pReq);
if (code == 0) code = TSDB_CODE_MND_ACTION_IN_PROGRESS;
ALTER_USER_OVER:
if (code != 0 && code != TSDB_CODE_MND_ACTION_IN_PROGRESS) {
mError("user:%s, failed to alter since %s", alterReq.user, terrstr());
}
mndReleaseUser(pMnode, pOperUser);
mndReleaseUser(pMnode, pUser);
taosHashCleanup(newUser.writeDbs);
taosHashCleanup(newUser.readDbs);
return code;
}
......@@ -545,6 +556,10 @@ static int32_t mndProcessDropUserReq(SMnodeMsg *pReq) {
goto DROP_USER_OVER;
}
if (mndCheckDropUserAuth(pOperUser) != 0) {
goto DROP_USER_OVER;
}
code = mndDropUser(pMnode, pReq, pUser);
if (code == 0) code = TSDB_CODE_MND_ACTION_IN_PROGRESS;
......
......@@ -102,16 +102,108 @@ TEST_F(MndTestUser, 02_Create_User) {
SRpcMsg* pRsp = test.SendReq(TDMT_MND_CREATE_USER, pReq, contLen);
ASSERT_NE(pRsp, nullptr);
ASSERT_EQ(pRsp->code, 0);
test.SendShowMetaReq(TSDB_MGMT_TABLE_USER, "");
test.SendShowRetrieveReq();
EXPECT_EQ(test.GetShowRows(), 2);
CheckBinary("u1", TSDB_USER_LEN);
CheckBinary("root", TSDB_USER_LEN);
CheckBinary("normal", 10);
CheckBinary("super", 10);
CheckTimestamp();
CheckTimestamp();
CheckBinary("root", TSDB_USER_LEN);
CheckBinary("root", TSDB_USER_LEN);
}
{
SDropUserReq dropReq = {0};
strcpy(dropReq.user, "u1");
int32_t contLen = tSerializeSDropUserReq(NULL, &dropReq);
void* pReq = rpcMallocCont(contLen);
void* pBuf = pReq;
tSerializeSDropUserReq(&pBuf, &dropReq);
SRpcMsg* pRsp = test.SendReq(TDMT_MND_DROP_USER, pReq, contLen);
ASSERT_NE(pRsp, nullptr);
ASSERT_EQ(pRsp->code, 0);
test.SendShowMetaReq(TSDB_MGMT_TABLE_USER, "");
CHECK_META("show users", 4);
test.SendShowRetrieveReq();
EXPECT_EQ(test.GetShowRows(), 1);
}
{
SCreateUserReq createReq = {0};
strcpy(createReq.user, "u2");
strcpy(createReq.pass, "p1");
createReq.superUser = 1;
int32_t contLen = tSerializeSCreateUserReq(NULL, &createReq);
void* pReq = rpcMallocCont(contLen);
void* pBuf = pReq;
tSerializeSCreateUserReq(&pBuf, &createReq);
SRpcMsg* pRsp = test.SendReq(TDMT_MND_CREATE_USER, pReq, contLen);
ASSERT_NE(pRsp, nullptr);
ASSERT_EQ(pRsp->code, 0);
test.SendShowMetaReq(TSDB_MGMT_TABLE_USER, "");
test.SendShowRetrieveReq();
EXPECT_EQ(test.GetShowRows(), 2);
CheckBinary("root", TSDB_USER_LEN);
CheckBinary("u2", TSDB_USER_LEN);
CheckBinary("super", 10);
CheckBinary("super", 10);
CheckTimestamp();
CheckTimestamp();
CheckBinary("root", TSDB_USER_LEN);
CheckBinary("root", TSDB_USER_LEN);
}
{
SDropUserReq dropReq = {0};
strcpy(dropReq.user, "u2");
int32_t contLen = tSerializeSDropUserReq(NULL, &dropReq);
void* pReq = rpcMallocCont(contLen);
void* pBuf = pReq;
tSerializeSDropUserReq(&pBuf, &dropReq);
SRpcMsg* pRsp = test.SendReq(TDMT_MND_DROP_USER, pReq, contLen);
ASSERT_NE(pRsp, nullptr);
ASSERT_EQ(pRsp->code, 0);
test.SendShowMetaReq(TSDB_MGMT_TABLE_USER, "");
test.SendShowRetrieveReq();
EXPECT_EQ(test.GetShowRows(), 1);
}
}
TEST_F(MndTestUser, 03_Alter_User) {
{
SCreateUserReq createReq = {0};
strcpy(createReq.user, "u3");
strcpy(createReq.pass, "p1");
createReq.superUser = 1;
int32_t contLen = tSerializeSCreateUserReq(NULL, &createReq);
void* pReq = rpcMallocCont(contLen);
void* pBuf = pReq;
tSerializeSCreateUserReq(&pBuf, &createReq);
SRpcMsg* pRsp = test.SendReq(TDMT_MND_CREATE_USER, pReq, contLen);
ASSERT_NE(pRsp, nullptr);
ASSERT_EQ(pRsp->code, 0);
test.SendShowMetaReq(TSDB_MGMT_TABLE_USER, "");
test.SendShowRetrieveReq();
EXPECT_EQ(test.GetShowRows(), 2);
}
{
SAlterUserReq alterReq = {0};
alterReq.alterType = TSDB_ALTER_USER_PASSWD;
......@@ -131,7 +223,7 @@ TEST_F(MndTestUser, 03_Alter_User) {
{
SAlterUserReq alterReq = {0};
alterReq.alterType = TSDB_ALTER_USER_PASSWD;
strcpy(alterReq.user, "u1");
strcpy(alterReq.user, "u3");
strcpy(alterReq.pass, "");
int32_t contLen = tSerializeSAlterUserReq(NULL, &alterReq);
......@@ -163,7 +255,40 @@ TEST_F(MndTestUser, 03_Alter_User) {
{
SAlterUserReq alterReq = {0};
alterReq.alterType = TSDB_ALTER_USER_PASSWD;
strcpy(alterReq.user, "u1");
strcpy(alterReq.user, "u3");
strcpy(alterReq.pass, "1");
int32_t contLen = tSerializeSAlterUserReq(NULL, &alterReq);
void* pReq = rpcMallocCont(contLen);
void* pBuf = pReq;
tSerializeSAlterUserReq(&pBuf, &alterReq);
SRpcMsg* pRsp = test.SendReq(TDMT_MND_ALTER_USER, pReq, contLen);
ASSERT_NE(pRsp, nullptr);
ASSERT_EQ(pRsp->code, 0);
}
{
SAlterUserReq alterReq = {0};
alterReq.alterType = TSDB_ALTER_USER_SUPERUSER;
strcpy(alterReq.user, "u3");
strcpy(alterReq.pass, "1");
alterReq.superUser = 1;
int32_t contLen = tSerializeSAlterUserReq(NULL, &alterReq);
void* pReq = rpcMallocCont(contLen);
void* pBuf = pReq;
tSerializeSAlterUserReq(&pBuf, &alterReq);
SRpcMsg* pRsp = test.SendReq(TDMT_MND_ALTER_USER, pReq, contLen);
ASSERT_NE(pRsp, nullptr);
ASSERT_EQ(pRsp->code, 0);
}
{
SAlterUserReq alterReq = {0};
alterReq.alterType = TSDB_ALTER_USER_CLEAR_WRITE_DB;
strcpy(alterReq.user, "u3");
strcpy(alterReq.pass, "1");
int32_t contLen = tSerializeSAlterUserReq(NULL, &alterReq);
......@@ -175,9 +300,141 @@ TEST_F(MndTestUser, 03_Alter_User) {
ASSERT_NE(pRsp, nullptr);
ASSERT_EQ(pRsp->code, 0);
}
{
SAlterUserReq alterReq = {0};
alterReq.alterType = TSDB_ALTER_USER_CLEAR_READ_DB;
strcpy(alterReq.user, "u3");
strcpy(alterReq.pass, "1");
int32_t contLen = tSerializeSAlterUserReq(NULL, &alterReq);
void* pReq = rpcMallocCont(contLen);
void* pBuf = pReq;
tSerializeSAlterUserReq(&pBuf, &alterReq);
SRpcMsg* pRsp = test.SendReq(TDMT_MND_ALTER_USER, pReq, contLen);
ASSERT_NE(pRsp, nullptr);
ASSERT_EQ(pRsp->code, 0);
}
{
SAlterUserReq alterReq = {0};
alterReq.alterType = TSDB_ALTER_USER_ADD_READ_DB;
strcpy(alterReq.user, "u3");
strcpy(alterReq.pass, "1");
strcpy(alterReq.dbname, "d1");
int32_t contLen = tSerializeSAlterUserReq(NULL, &alterReq);
void* pReq = rpcMallocCont(contLen);
void* pBuf = pReq;
tSerializeSAlterUserReq(&pBuf, &alterReq);
SRpcMsg* pRsp = test.SendReq(TDMT_MND_ALTER_USER, pReq, contLen);
ASSERT_NE(pRsp, nullptr);
ASSERT_EQ(pRsp->code, TSDB_CODE_MND_DB_NOT_EXIST);
}
{
int32_t contLen = sizeof(SCreateDbReq);
SCreateDbReq* pReq = (SCreateDbReq*)rpcMallocCont(contLen);
strcpy(pReq->db, "1.d2");
pReq->numOfVgroups = htonl(2);
pReq->cacheBlockSize = htonl(16);
pReq->totalBlocks = htonl(10);
pReq->daysPerFile = htonl(10);
pReq->daysToKeep0 = htonl(3650);
pReq->daysToKeep1 = htonl(3650);
pReq->daysToKeep2 = htonl(3650);
pReq->minRows = htonl(100);
pReq->maxRows = htonl(4096);
pReq->commitTime = htonl(3600);
pReq->fsyncPeriod = htonl(3000);
pReq->walLevel = 1;
pReq->precision = 0;
pReq->compression = 2;
pReq->replications = 1;
pReq->quorum = 1;
pReq->update = 0;
pReq->cacheLastRow = 0;
pReq->ignoreExist = 1;
SRpcMsg* pRsp = test.SendReq(TDMT_MND_CREATE_DB, pReq, contLen);
ASSERT_NE(pRsp, nullptr);
ASSERT_EQ(pRsp->code, 0);
}
{
SAlterUserReq alterReq = {0};
alterReq.alterType = TSDB_ALTER_USER_ADD_READ_DB;
strcpy(alterReq.user, "u3");
strcpy(alterReq.pass, "1");
strcpy(alterReq.dbname, "1.d2");
int32_t contLen = tSerializeSAlterUserReq(NULL, &alterReq);
void* pReq = rpcMallocCont(contLen);
void* pBuf = pReq;
tSerializeSAlterUserReq(&pBuf, &alterReq);
SRpcMsg* pRsp = test.SendReq(TDMT_MND_ALTER_USER, pReq, contLen);
ASSERT_NE(pRsp, nullptr);
ASSERT_EQ(pRsp->code, 0);
}
{
SAlterUserReq alterReq = {0};
alterReq.alterType = TSDB_ALTER_USER_ADD_READ_DB;
strcpy(alterReq.user, "u3");
strcpy(alterReq.pass, "1");
strcpy(alterReq.dbname, "1.d2");
int32_t contLen = tSerializeSAlterUserReq(NULL, &alterReq);
void* pReq = rpcMallocCont(contLen);
void* pBuf = pReq;
tSerializeSAlterUserReq(&pBuf, &alterReq);
SRpcMsg* pRsp = test.SendReq(TDMT_MND_ALTER_USER, pReq, contLen);
ASSERT_NE(pRsp, nullptr);
ASSERT_EQ(pRsp->code, 0);
}
{
SAlterUserReq alterReq = {0};
alterReq.alterType = TSDB_ALTER_USER_REMOVE_READ_DB;
strcpy(alterReq.user, "u3");
strcpy(alterReq.pass, "1");
strcpy(alterReq.dbname, "1.d2");
int32_t contLen = tSerializeSAlterUserReq(NULL, &alterReq);
void* pReq = rpcMallocCont(contLen);
void* pBuf = pReq;
tSerializeSAlterUserReq(&pBuf, &alterReq);
SRpcMsg* pRsp = test.SendReq(TDMT_MND_ALTER_USER, pReq, contLen);
ASSERT_NE(pRsp, nullptr);
ASSERT_EQ(pRsp->code, 0);
}
{
SDropUserReq dropReq = {0};
strcpy(dropReq.user, "u3");
int32_t contLen = tSerializeSDropUserReq(NULL, &dropReq);
void* pReq = rpcMallocCont(contLen);
void* pBuf = pReq;
tSerializeSDropUserReq(&pBuf, &dropReq);
SRpcMsg* pRsp = test.SendReq(TDMT_MND_DROP_USER, pReq, contLen);
ASSERT_NE(pRsp, nullptr);
ASSERT_EQ(pRsp->code, 0);
test.SendShowMetaReq(TSDB_MGMT_TABLE_USER, "");
test.SendShowRetrieveReq();
EXPECT_EQ(test.GetShowRows(), 1);
}
}
TEST_F(MndTestUser, 04_Drop_User) {
TEST_F(MndTestUser, 05_Drop_User) {
{
SDropUserReq dropReq = {0};
strcpy(dropReq.user, "");
......@@ -206,6 +463,21 @@ TEST_F(MndTestUser, 04_Drop_User) {
ASSERT_EQ(pRsp->code, TSDB_CODE_MND_USER_NOT_EXIST);
}
{
SCreateUserReq createReq = {0};
strcpy(createReq.user, "u1");
strcpy(createReq.pass, "p1");
int32_t contLen = tSerializeSCreateUserReq(NULL, &createReq);
void* pReq = rpcMallocCont(contLen);
void* pBuf = pReq;
tSerializeSCreateUserReq(&pBuf, &createReq);
SRpcMsg* pRsp = test.SendReq(TDMT_MND_CREATE_USER, pReq, contLen);
ASSERT_NE(pRsp, nullptr);
ASSERT_EQ(pRsp->code, 0);
}
{
SDropUserReq dropReq = {0};
strcpy(dropReq.user, "u1");
......@@ -227,7 +499,7 @@ TEST_F(MndTestUser, 04_Drop_User) {
EXPECT_EQ(test.GetShowRows(), 1);
}
TEST_F(MndTestUser, 05_Create_Drop_Alter_User) {
TEST_F(MndTestUser, 06_Create_Drop_Alter_User) {
{
SCreateUserReq createReq = {0};
strcpy(createReq.user, "u1");
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册