Skip to content

Commit

Permalink
[fix](auth)Fix some issues with incorrect permission verification (#3…
Browse files Browse the repository at this point in the history
…9726)

- `show columns` do not have permission to check
- `show sync job`do not have permission to check
- `Show data from db.table` should be the permission to determine the
table, not the admin permission
- users with grant permission should not see all processes through 'SHOW
PROCESS LIST'
- `show tablet storage format`fix permission error prompt

cases will be added uniformly in other PRs
  • Loading branch information
zddr authored Aug 28, 2024
1 parent 6b59bf0 commit 603d1e0
Show file tree
Hide file tree
Showing 5 changed files with 24 additions and 6 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,14 @@
package org.apache.doris.analysis;

import org.apache.doris.catalog.Column;
import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.InfoSchemaDb;
import org.apache.doris.catalog.ScalarType;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.ShowResultSetMetaData;

import com.google.common.base.Strings;
Expand Down Expand Up @@ -103,6 +108,12 @@ public void analyze(Analyzer analyzer) throws AnalysisException {
} else {
metaData = META_DATA;
}
if (!Env.getCurrentEnv().getAccessManager()
.checkTblPriv(ConnectContext.get(), tableName.getCtl(), tableName.getDb(),
tableName.getTbl(), PrivPredicate.SHOW)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_TABLE_ACCESS_DENIED_ERROR,
PrivPredicate.SHOW.getPrivs().toString(), tableName);
}
}

@Override
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@ public void analyze(Analyzer analyzer) throws UserException {
return;
}
dbName = analyzer.getDefaultDb();
if (Strings.isNullOrEmpty(dbName)) {
if (Strings.isNullOrEmpty(dbName) && tableName == null) {
getAllDbStats();
return;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,14 @@
package org.apache.doris.analysis;

import org.apache.doris.catalog.Column;
import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.ScalarType;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.UserException;
import org.apache.doris.datasource.InternalCatalog;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.qe.ConnectContext;
import org.apache.doris.qe.ShowResultSetMetaData;

import com.google.common.base.Strings;
Expand Down Expand Up @@ -60,6 +64,11 @@ public void analyze(Analyzer analyzer) throws UserException {
ErrorReport.reportAnalysisException(ErrorCode.ERR_NO_DB_ERROR);
}
}
if (!Env.getCurrentEnv().getAccessManager()
.checkDbPriv(ConnectContext.get(), InternalCatalog.INTERNAL_CATALOG_NAME, dbName, PrivPredicate.SHOW)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_DB_ACCESS_DENIED_ERROR,
PrivPredicate.SHOW.getPrivs().toString(), dbName);
}
}

@Override
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,8 @@ public ShowTabletStorageFormatStmt(boolean verbose) {
public void analyze(Analyzer analyzer) throws UserException {
// check access first
if (!Env.getCurrentEnv().getAccessManager().checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
ErrorReport.reportAnalysisException(ErrorCode.ERR_ACCESS_DENIED_ERROR,
toSql(),
ConnectContext.get().getQualifiedUser(),
ConnectContext.get().getRemoteIP(), "ADMIN Privilege needed.");
ErrorReport.reportAnalysisException(ErrorCode.ERR_SPECIFIC_ACCESS_DENIED_ERROR,
PrivPredicate.ADMIN.getPrivs().toString());
}

super.analyze(analyzer);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,7 @@ public List<ConnectContext.ThreadInfo> listConnection(String user, boolean isFul
for (ConnectContext ctx : connectionMap.values()) {
// Check auth
if (!ctx.getQualifiedUser().equals(user) && !Env.getCurrentEnv().getAccessManager()
.checkGlobalPriv(ConnectContext.get(), PrivPredicate.GRANT)) {
.checkGlobalPriv(ConnectContext.get(), PrivPredicate.ADMIN)) {
continue;
}

Expand Down

0 comments on commit 603d1e0

Please sign in to comment.