Skip to content

branch-4.1: [fix](fe) Fix Ranger column-level privilege bypass when CTE combined #61741#63048

Merged
yiguolei merged 1 commit into
branch-4.1from
auto-pick-61741-branch-4.1
May 9, 2026
Merged

branch-4.1: [fix](fe) Fix Ranger column-level privilege bypass when CTE combined #61741#63048
yiguolei merged 1 commit into
branch-4.1from
auto-pick-61741-branch-4.1

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented May 7, 2026

Cherry-picked from #61741

@smith1000
[fix](fe) Fix Ranger column-level privilege bypass when CTE combined (#…
adb34ca 
…61741)

### What problem does this PR solve?

Issue Number: close #61631

Problem Summary: When a CTE (WITH ... AS) is referenced multiple times
in a
JOIN query and is not inlined (due to inlineCTEReferencedThreshold), the
CheckPrivileges rule does not traverse the CTE producer subtree because
LogicalCTEConsumer is a leaf node in the plan tree. This means
column-level
privileges on the CTE's underlying tables are never checked, allowing
users
without proper column access to bypass Ranger authorization.

The fix adds a `visitLogicalCTEConsumer` override in `CheckPrivileges`
that
explicitly retrieves the CTE producer plan (stored by
`RewriteCteChildren`)
and traverses it for privilege checking. The `privChecked` flag remains
on
`StatementContext` to preserve the view permission passthrough
mechanism.

### Release note

Fixed a security issue where Ranger column-level privileges could be
bypassed
when using CTE (WITH ... AS) combined with JOIN queries. Users without
proper
column access permissions could read restricted columns through CTE+JOIN
patterns.

### Check List (For Author)

- Test: Unit Test / Manual test (verified with Ranger 2.7.0 + Doris
4.0.2 environment)
- Behavior changed: No
- Does this need documentation: No

---------

Co-authored-by: geshengli <geshengli@wps.cn>
@github-actions github-actions Bot requested a review from yiguolei as a code owner May 7, 2026 03:35
@hello-stephen
Copy link
Copy Markdown
Contributor

hello-stephen commented May 7, 2026

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

  1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
  2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
  3. What features were added. Why was this function added?
  4. Which code was refactored and why was this part of the code refactored?
  5. Which functions were optimized and what is the difference before and after the optimization?

@hello-stephen hello-stephen reopened this May 7, 2026
@hello-stephen
Copy link
Copy Markdown
Contributor

hello-stephen commented May 7, 2026

run buildall

@yiguolei yiguolei merged commit ced46ce into branch-4.1 May 9, 2026
29 of 32 checks passed
@github-actions github-actions Bot added the approved Indicates a PR has been approved by one committer. label May 9, 2026
@github-actions
Copy link
Copy Markdown
Contributor Author

github-actions Bot commented May 9, 2026

PR approved by at least one committer and no changes requested.

@github-actions
Copy link
Copy Markdown
Contributor Author

github-actions Bot commented May 9, 2026

PR approved by anyone and no changes requested.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yiguolei yiguolei yiguolei approved these changes

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by one committer. reviewed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hello-stephen @yiguolei @smith1000