From 6b51e9dfbd4e655ea394ec548886edbf669dae32 Mon Sep 17 00:00:00 2001 From: zhangdong Date: Thu, 26 Dec 2024 19:05:10 +0800 Subject: [PATCH] [fix](auth)Fix the compatibility issue with show_view_priv when replaying editLog (#45949) ### What problem does this PR solve? The previous version showed an index of 9 for show_view_priv, while the new version has an index of 14 The previous logic was only compatible with the playback logic of images, not with the playback logic of editLog --- .../apache/doris/mysql/privilege/Auth.java | 16 ++-- .../apache/doris/mysql/privilege/Role.java | 87 +++++++++++-------- 2 files changed, 62 insertions(+), 41 deletions(-) diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java index 9d6f52d5a51d7d..42e26cd4d0559c 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Auth.java @@ -658,17 +658,19 @@ public void grant(GrantStmt stmt) throws DdlException { public void replayGrant(PrivInfo privInfo) { try { + PrivBitSet privs = privInfo.getPrivs(); + Role.compatibilityAuthIndexChange(privs); if (privInfo.getTblPattern() != null) { grantInternal(privInfo.getUserIdent(), privInfo.getRole(), - privInfo.getTblPattern(), privInfo.getPrivs(), privInfo.getColPrivileges(), + privInfo.getTblPattern(), privs, privInfo.getColPrivileges(), true /* err on non exist */, true /* is replay */); } else if (privInfo.getResourcePattern() != null) { grantInternal(privInfo.getUserIdent(), privInfo.getRole(), - privInfo.getResourcePattern(), privInfo.getPrivs(), + privInfo.getResourcePattern(), privs, true /* err on non exist */, true /* is replay */); } else if (privInfo.getWorkloadGroupPattern() != null) { grantInternal(privInfo.getUserIdent(), privInfo.getRole(), - privInfo.getWorkloadGroupPattern(), privInfo.getPrivs(), + privInfo.getWorkloadGroupPattern(), privs, true /* err on non exist */, true /* is replay */); } else { grantInternal(privInfo.getUserIdent(), privInfo.getRoles(), true); @@ -843,14 +845,16 @@ public void revoke(RevokeStmt stmt) throws DdlException { public void replayRevoke(PrivInfo info) { try { + PrivBitSet privs = info.getPrivs(); + Role.compatibilityAuthIndexChange(privs); if (info.getTblPattern() != null) { - revokeInternal(info.getUserIdent(), info.getRole(), info.getTblPattern(), info.getPrivs(), + revokeInternal(info.getUserIdent(), info.getRole(), info.getTblPattern(), privs, info.getColPrivileges(), true /* err on non exist */, true /* is replay */); } else if (info.getResourcePattern() != null) { - revokeInternal(info.getUserIdent(), info.getRole(), info.getResourcePattern(), info.getPrivs(), + revokeInternal(info.getUserIdent(), info.getRole(), info.getResourcePattern(), privs, true /* err on non exist */, true /* is replay */); } else if (info.getWorkloadGroupPattern() != null) { - revokeInternal(info.getUserIdent(), info.getRole(), info.getWorkloadGroupPattern(), info.getPrivs(), + revokeInternal(info.getUserIdent(), info.getRole(), info.getWorkloadGroupPattern(), privs, true /* err on non exist */, true /* is replay */); } else { revokeInternal(info.getUserIdent(), info.getRoles(), true /* is replay */); diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Role.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Role.java index 0054579062fcc5..64feead6667098 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Role.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/Role.java @@ -1111,53 +1111,70 @@ private void compatibilityErrEnum() { LOG.info("auth into compatibility logic, currentVersion={}", currentVersion); if (Config.isNotCloudMode() && currentVersion >= FeMetaVersion.VERSION_129) { - // not cloud mode, - // For versions greater than VERSION_123, - // the community requires versions above VERSION_129 to follow compatibility logic. - - // SHOW_VIEW_PRIV_DEPRECATED -> SHOW_VIEW_PRIV (9 -> 14) tblPatternToPrivs.values().forEach(privBitSet -> { - if (privBitSet.containsPrivs(Privilege.SHOW_VIEW_PRIV_DEPRECATED)) { - // remove SHOW_VIEW_PRIV_DEPRECATED - privBitSet.unset(Privilege.SHOW_VIEW_PRIV_DEPRECATED.getIdx()); - // add SHOW_VIEW_PRIV - privBitSet.set(Privilege.SHOW_VIEW_PRIV.getIdx()); - } + compatibilityAuthIndexChange(privBitSet); }); } else if (Config.isCloudMode()) { - // cloud mode - // For versions greater than VERSION_123, the cloud requires compatibility logic. - - // CLUSTER_USAGE_PRIV_DEPRECATED -> CLUSTER_USAGE_PRIV (9 -> 12) clusterPatternToPrivs.values().forEach(privBitSet -> { - if (privBitSet.containsPrivs(Privilege.CLUSTER_USAGE_PRIV_DEPRECATED)) { - // remove CLUSTER_USAGE_PRIV_DEPRECATED - privBitSet.unset(Privilege.CLUSTER_USAGE_PRIV_DEPRECATED.getIdx()); - // add CLUSTER_USAGE_PRIV - privBitSet.set(Privilege.CLUSTER_USAGE_PRIV.getIdx()); - } + compatibilityAuthIndexChange(privBitSet); }); - // STAGE_USAGE_PRIV_DEPRECATED -> STAGE_USAGE_PRIV (10 -> 13) stagePatternToPrivs.values().forEach(privBitSet -> { - if (privBitSet.containsPrivs(Privilege.STAGE_USAGE_PRIV_DEPRECATED)) { - // remove CLUSTER_USAGE_PRIV_DEPRECATED - privBitSet.unset(Privilege.STAGE_USAGE_PRIV_DEPRECATED.getIdx()); - // add CLUSTER_USAGE_PRIV - privBitSet.set(Privilege.STAGE_USAGE_PRIV.getIdx()); - } + compatibilityAuthIndexChange(privBitSet); }); - // SHOW_VIEW_PRIV_CLOUD_DEPRECATED -> SHOW_VIEW_PRIV (11 -> 14) tblPatternToPrivs.values().forEach(privBitSet -> { - if (privBitSet.containsPrivs(Privilege.SHOW_VIEW_PRIV_CLOUD_DEPRECATED)) { - // remove SHOW_VIEW_PRIV_CLOUD_DEPRECATED - privBitSet.unset(Privilege.SHOW_VIEW_PRIV_CLOUD_DEPRECATED.getIdx()); - // add SHOW_VIEW_PRIV - privBitSet.set(Privilege.SHOW_VIEW_PRIV.getIdx()); - } + compatibilityAuthIndexChange(privBitSet); }); } } + public static void compatibilityAuthIndexChange(PrivBitSet privBitSet) { + if (privBitSet == null) { + return; + } + int currentVersion = Env.getCurrentEnvJournalVersion(); + // not cloud mode, + // For versions greater than VERSION_123, + // the community requires versions above VERSION_129 to follow compatibility logic. + + // SHOW_VIEW_PRIV_DEPRECATED -> SHOW_VIEW_PRIV (9 -> 14) + if (Config.isNotCloudMode() && currentVersion >= FeMetaVersion.VERSION_129) { + if (privBitSet.containsPrivs(Privilege.SHOW_VIEW_PRIV_DEPRECATED)) { + // remove SHOW_VIEW_PRIV_DEPRECATED + privBitSet.unset(Privilege.SHOW_VIEW_PRIV_DEPRECATED.getIdx()); + // add SHOW_VIEW_PRIV + privBitSet.set(Privilege.SHOW_VIEW_PRIV.getIdx()); + } + } else if (Config.isCloudMode()) { + // cloud mode + // For versions greater than VERSION_123, the cloud requires compatibility logic. + + // CLUSTER_USAGE_PRIV_DEPRECATED -> CLUSTER_USAGE_PRIV (9 -> 12) + + if (privBitSet.containsPrivs(Privilege.CLUSTER_USAGE_PRIV_DEPRECATED)) { + // remove CLUSTER_USAGE_PRIV_DEPRECATED + privBitSet.unset(Privilege.CLUSTER_USAGE_PRIV_DEPRECATED.getIdx()); + // add CLUSTER_USAGE_PRIV + privBitSet.set(Privilege.CLUSTER_USAGE_PRIV.getIdx()); + } + + // STAGE_USAGE_PRIV_DEPRECATED -> STAGE_USAGE_PRIV (10 -> 13) + if (privBitSet.containsPrivs(Privilege.STAGE_USAGE_PRIV_DEPRECATED)) { + // remove CLUSTER_USAGE_PRIV_DEPRECATED + privBitSet.unset(Privilege.STAGE_USAGE_PRIV_DEPRECATED.getIdx()); + // add CLUSTER_USAGE_PRIV + privBitSet.set(Privilege.STAGE_USAGE_PRIV.getIdx()); + } + + // SHOW_VIEW_PRIV_CLOUD_DEPRECATED -> SHOW_VIEW_PRIV (11 -> 14) + if (privBitSet.containsPrivs(Privilege.SHOW_VIEW_PRIV_CLOUD_DEPRECATED)) { + // remove SHOW_VIEW_PRIV_CLOUD_DEPRECATED + privBitSet.unset(Privilege.SHOW_VIEW_PRIV_CLOUD_DEPRECATED.getIdx()); + // add SHOW_VIEW_PRIV + privBitSet.set(Privilege.SHOW_VIEW_PRIV.getIdx()); + } + } + } + private void rebuildPrivTables() { globalPrivTable = new GlobalPrivTable(); catalogPrivTable = new CatalogPrivTable();