Skip to content

[feature](security) Support block specific query with AST names#43533

Merged
gavinchou merged 2 commits intoapache:masterfrom
Hastyshell:forbid-specific-sql-command
Nov 12, 2024
Merged

[feature](security) Support block specific query with AST names#43533
gavinchou merged 2 commits intoapache:masterfrom
Hastyshell:forbid-specific-sql-command

Conversation

@Hastyshell
Copy link
Collaborator

@Hastyshell Hastyshell commented Nov 8, 2024
edited by gavinchou
Loading

What problem does this PR solve?

Support block specific query with AST names when necessary for security reasons, configure the name list in fe.conf, for example:

block_sql_ast_names="CreateFileStmt, CreateFunctionStmt"

Release note

Support to block some SQL statements, e.g. CreateFileStmt, when necessary for security reasons.

Check List (For Author)

  • Test

    • Regression test
    • Unit Test
    • Manual test (add detailed scripts or steps below)
    • No need to test or manual test. Explain why:
      • This is a refactor/code format and no logic has been changed.
      • Previous test can cover this change.
      • No code files have been changed.
      • Other reason

  • Behavior changed:

    • No.
    • Yes.

  • Does this need documentation?

    • No.
    • Yes.

Check List (For Reviewer who merge this PR)

  • Confirm the release note
  • Confirm test cases
  • Confirm document
  • Add branch pick label

@doris-robot
Copy link

doris-robot commented Nov 8, 2024

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

  1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
  2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
  3. What features were added. Why was this function added?
  4. Which code was refactored and why was this part of the code refactored?
  5. Which functions were optimized and what is the difference before and after the optimization?

@Hastyshell Hastyshell force-pushed the forbid-specific-sql-command branch from 3aeba2c to b6ce6d5 Compare November 8, 2024 13:11
@Hastyshell
Copy link
Collaborator Author

Hastyshell commented Nov 11, 2024

run buildall

@Hastyshell Hastyshell force-pushed the forbid-specific-sql-command branch from 3265cef to 72c9ec3 Compare November 11, 2024 13:02
@Hastyshell
Copy link
Collaborator Author

Hastyshell commented Nov 11, 2024

run buildall

gavinchou
gavinchou reviewed Nov 11, 2024
View reviewed changes
fe/fe-core/src/test/java/org/apache/doris/qe/StmtExecutorTest.java Outdated
}

@Test
public void testBlockSqlAst(@Mocked UseStmt useStmt, @Mocked SqlParser parser) throws Exception {
Copy link
Contributor

@gavinchou gavinchou Nov 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

test create file, create function statment too

also test some commands that should not be blocked

@Hastyshell Hastyshell force-pushed the forbid-specific-sql-command branch from 72c9ec3 to 88ac5fd Compare November 12, 2024 03:21
@Hastyshell
Copy link
Collaborator Author

Hastyshell commented Nov 12, 2024

run feut

@Hastyshell Hastyshell force-pushed the forbid-specific-sql-command branch from 88ac5fd to 6c63b91 Compare November 12, 2024 06:48
@Hastyshell
Copy link
Collaborator Author

Hastyshell commented Nov 12, 2024

run feut

@Hastyshell Hastyshell force-pushed the forbid-specific-sql-command branch from 6c63b91 to 2054ace Compare November 12, 2024 09:01
@Hastyshell Hastyshell marked this pull request as ready for review November 12, 2024 09:02
@Hastyshell
Copy link
Collaborator Author

Hastyshell commented Nov 12, 2024

run buildall

@Hastyshell Hastyshell force-pushed the forbid-specific-sql-command branch from 2054ace to ae31056 Compare November 12, 2024 11:19
@Hastyshell
Copy link
Collaborator Author

Hastyshell commented Nov 12, 2024

run buildall

@Hastyshell Hastyshell force-pushed the forbid-specific-sql-command branch from ae31056 to 8b0eb27 Compare November 12, 2024 11:24
@Hastyshell
Copy link
Collaborator Author

Hastyshell commented Nov 12, 2024

run buildall

@github-actions github-actions bot added the approved Indicates a PR has been approved by one committer. label Nov 12, 2024
@github-actions
Copy link
Contributor

github-actions bot commented Nov 12, 2024

PR approved by at least one committer and no changes requested.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 12, 2024

PR approved by anyone and no changes requested.

@gavinchou gavinchou self-requested a review November 12, 2024 15:30
@gavinchou gavinchou changed the title [feature](admin) Support block specific query by AST name [feature](security) Support block specific query with AST names Nov 12, 2024
@gavinchou gavinchou merged commit 8d6659c into apache:master Nov 12, 2024
py023 pushed a commit to py023/doris that referenced this pull request Nov 13, 2024
@Hastyshell @py023
[feature](security) Support block specific query with AST names (apac…
1c4f451 
…he#43533)

Support block specific query with AST names when necessary for security
reasons, configure the name list in fe.conf, for example:
```
block_sql_ast_names="CreateFileStmt, CreateFunctionStmt"
```
Hastyshell added a commit to Hastyshell/doris that referenced this pull request Nov 13, 2024
@Hastyshell
[feature](security) Support block specific query with AST names (apac…
3c79a5e 
…he#43533)

Support block specific query with AST names when necessary for security
reasons, configure the name list in fe.conf, for example:
```
block_sql_ast_names="CreateFileStmt, CreateFunctionStmt"
```
@gavinchou gavinchou mentioned this pull request Nov 13, 2024
Merged
dataroaring pushed a commit that referenced this pull request Nov 13, 2024
@Hastyshell
[feature](security) Support block specific query with AST names (#43533
5cefb50 
…) (#43887)

pick #43533

Support block specific query with AST names when necessary for security
reasons, configure the name list in fe.conf, for example:
```
block_sql_ast_names="CreateFileStmt, CreateFunctionStmt"
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@morningman morningman morningman approved these changes

@gavinchou gavinchou gavinchou approved these changes

@morrySnow morrySnow morrySnow approved these changes

@dataroaring dataroaring Awaiting requested review from dataroaring dataroaring is a code owner

@CalvinKirs CalvinKirs Awaiting requested review from CalvinKirs CalvinKirs is a code owner

+1 more reviewer

@Yukang-Lian Yukang-Lian Yukang-Lian approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by one committer. dev/3.0.3-merged p0_c reviewed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@Hastyshell @doris-robot @morningman @gavinchou @Yukang-Lian @morrySnow @dataroaring