From 8b54a41d9d92fa4baf5bf8f919d3d9654e2864e3 Mon Sep 17 00:00:00 2001 From: spricoder Date: Wed, 28 Jun 2023 22:23:19 +0800 Subject: [PATCH 01/10] Refactor/merge privilege --- .../it/IoTDBClusterAuthorityIT.java | 15 +- .../org/apache/iotdb/db/it/IoTDBAuthIT.java | 148 +++++-------- .../org/apache/iotdb/db/it/cq/IoTDBCQIT.java | 4 +- .../db/it/selectinto/IoTDBSelectIntoIT.java | 5 +- .../it/trigger/IoTDBTriggerManagementIT.java | 17 +- .../org/apache/iotdb/db/qp/sql/SqlLexer.g4 | 208 +++--------------- .../request/ConfigPhysicalPlanSerDeTest.java | 3 +- .../persistence/AuthorInfoTest.java | 23 +- .../iotdb/db/auth/AuthorityChecker.java | 120 ++++------ .../queryengine/plan/parser/ASTVisitor.java | 6 - .../iotdb/db/auth/AuthorizerManagerTest.java | 12 +- .../commons/auth/entity/PrivilegeType.java | 61 +---- .../apache/iotdb/commons/utils/AuthUtils.java | 62 +++--- 13 files changed, 215 insertions(+), 469 deletions(-) diff --git a/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java b/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java index dbef8dc24ede..9306f9cf2384 100644 --- a/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java @@ -68,8 +68,7 @@ public void tearDown() { EnvFactory.getEnv().cleanClusterEnvironment(); } - private void cleanUserAndRole(IConfigNodeRPCService.Iface client) - throws TException, IllegalPathException { + private void cleanUserAndRole(IConfigNodeRPCService.Iface client) throws TException { TSStatus status; // clean user @@ -121,15 +120,13 @@ public void permissionTest() throws IllegalPathException { TCheckUserPrivilegesReq checkUserPrivilegesReq; Set privilegeList = new HashSet<>(); - privilegeList.add(PrivilegeType.DELETE_USER.ordinal()); - privilegeList.add(PrivilegeType.CREATE_USER.ordinal()); + privilegeList.add(PrivilegeType.USER_PRIVILEGE.ordinal()); Set revokePrivilege = new HashSet<>(); - revokePrivilege.add(PrivilegeType.DELETE_USER.ordinal()); + revokePrivilege.add(PrivilegeType.USER_PRIVILEGE.ordinal()); List privilege = new ArrayList<>(); - privilege.add("root.** : CREATE_USER"); - privilege.add("root.** : CREATE_USER"); + privilege.add("root.** : USER_PRIVILEGE"); List paths = new ArrayList<>(); paths.add(new PartialPath("root.ln.**")); @@ -159,7 +156,7 @@ public void permissionTest() throws IllegalPathException { new TCheckUserPrivilegesReq( "tempuser0", AuthUtils.serializePartialPathList(paths), - PrivilegeType.DELETE_USER.ordinal()); + PrivilegeType.USER_PRIVILEGE.ordinal()); status = client.checkUserPrivileges(checkUserPrivilegesReq).getStatus(); assertEquals(TSStatusCode.NO_PERMISSION.getStatusCode(), status.getCode()); @@ -270,7 +267,7 @@ public void permissionTest() throws IllegalPathException { new TCheckUserPrivilegesReq( "tempuser0", AuthUtils.serializePartialPathList(paths), - PrivilegeType.DELETE_USER.ordinal()); + PrivilegeType.USER_PRIVILEGE.ordinal()); status = client.checkUserPrivileges(checkUserPrivilegesReq).getStatus(); assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode()); diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBAuthIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBAuthIT.java index 667eca5547c3..a2d576731f0b 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBAuthIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBAuthIT.java @@ -81,7 +81,7 @@ public void allPrivilegesTest() throws SQLException { () -> userStmt.execute("INSERT INTO root.a(timestamp, b) VALUES (100, 100)")); Assert.assertThrows( SQLException.class, - () -> userStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_TIMESERIES ON root.a")); + () -> userStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a")); adminStmt.execute("GRANT USER tempuser PRIVILEGES ALL on root.**"); @@ -89,11 +89,11 @@ public void allPrivilegesTest() throws SQLException { userStmt.execute("CREATE TIMESERIES root.a.b WITH DATATYPE=INT32,ENCODING=PLAIN"); userStmt.execute("INSERT INTO root.a(timestamp, b) VALUES (100, 100)"); userStmt.execute("SELECT * from root.a"); - userStmt.execute("GRANT USER tempuser PRIVILEGES SET_STORAGE_GROUP ON root.a"); - userStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_TIMESERIES ON root.b.b"); + userStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a"); + userStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON root.b.b"); adminStmt.execute("REVOKE USER tempuser PRIVILEGES ALL on root.**"); - adminStmt.execute("REVOKE USER tempuser PRIVILEGES CREATE_TIMESERIES ON root.b.b"); + adminStmt.execute("REVOKE USER tempuser PRIVILEGES WRITE_SCHEMA ON root.b.b"); Assert.assertThrows(SQLException.class, () -> userStmt.execute("CREATE DATABASE root.b")); Assert.assertThrows( @@ -106,7 +106,7 @@ public void allPrivilegesTest() throws SQLException { Assert.assertThrows(SQLException.class, () -> userStmt.execute("SELECT * from root.a")); Assert.assertThrows( SQLException.class, - () -> userStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_TIMESERIES ON root.a")); + () -> userStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a")); } } } @@ -123,20 +123,10 @@ public void testSetDeleteSG() throws SQLException { Assert.assertThrows( SQLException.class, () -> userStmt.execute("CREATE DATABASE root.sgtest")); - adminStmt.execute("GRANT USER sgtest PRIVILEGES CREATE_DATABASE ON root.*"); + adminStmt.execute("GRANT USER sgtest PRIVILEGES WRITE_SCHEMA ON root.*"); try { userStmt.execute("CREATE DATABASE root.sgtest"); - } catch (SQLException e) { - fail(e.getMessage()); - } - - Assert.assertThrows( - SQLException.class, () -> userStmt.execute("DELETE DATABASE root.sgtest")); - - adminStmt.execute("GRANT USER sgtest PRIVILEGES DELETE_STORAGE_GROUP ON root.*"); - - try { userStmt.execute("DELETE DATABASE root.sgtest"); } catch (SQLException e) { fail(e.getMessage()); @@ -197,65 +187,56 @@ public void illegalGrantRevokeUserTest() throws SQLException { // grant a non-existing user Assert.assertThrows( SQLException.class, - () -> adminStmt.execute("GRANT USER nulluser PRIVILEGES CREATE_DATABASE on root.a")); + () -> adminStmt.execute("GRANT USER nulluser PRIVILEGES WRITE_SCHEMA on root.a")); // grant a non-existing privilege Assert.assertThrows( SQLException.class, () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES NOT_A_PRIVILEGE on root.a")); // duplicate grant - adminStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_USER on root.**"); + adminStmt.execute("GRANT USER tempuser PRIVILEGES USER_PRIVILEGE on root.**"); Assert.assertThrows( SQLException.class, - () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_USER on root.**")); + () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES USER_PRIVILEGE on root.**")); // grant on a illegal seriesPath Assert.assertThrows( SQLException.class, - () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES on a.b")); + () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA on a.b")); // grant admin Assert.assertThrows( SQLException.class, - () -> adminStmt.execute("GRANT USER root PRIVILEGES DELETE_TIMESERIES on root.a.b")); + () -> adminStmt.execute("GRANT USER root PRIVILEGES WRITE_SCHEMA on root.a.b")); // no privilege to grant Assert.assertThrows( SQLException.class, - () -> userStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES on root.a.b")); + () -> userStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA on root.a.b")); // revoke a non-existing privilege - adminStmt.execute("REVOKE USER tempuser PRIVILEGES CREATE_USER on root.**"); + adminStmt.execute("REVOKE USER tempuser PRIVILEGES USER_PRIVILEGE on root.**"); Assert.assertThrows( SQLException.class, - () -> adminStmt.execute("REVOKE USER tempuser PRIVILEGES CREATE_USER on root.**")); + () -> adminStmt.execute("REVOKE USER tempuser PRIVILEGES USER_PRIVILEGE on root.**")); // revoke a non-existing user Assert.assertThrows( SQLException.class, - () -> adminStmt.execute("REVOKE USER tempuser1 PRIVILEGES CREATE_USER on root.**")); + () -> adminStmt.execute("REVOKE USER tempuser1 PRIVILEGES USER_PRIVILEGE on root.**")); // revoke on a illegal seriesPath Assert.assertThrows( SQLException.class, - () -> adminStmt.execute("REVOKE USER tempuser PRIVILEGES DELETE_TIMESERIES on a.b")); + () -> adminStmt.execute("REVOKE USER tempuser PRIVILEGES WRITE_SCHEMA on a.b")); // revoke admin Assert.assertThrows( SQLException.class, - () -> adminStmt.execute("REVOKE USER root PRIVILEGES DELETE_TIMESERIES on root.a.b")); + () -> adminStmt.execute("REVOKE USER root PRIVILEGES WRITE_SCHEMA on root.a.b")); // no privilege to revoke Assert.assertThrows( SQLException.class, - () -> - userStmt.execute("REVOKE USER tempuser PRIVILEGES DELETE_TIMESERIES on root.a.b")); + () -> userStmt.execute("REVOKE USER tempuser PRIVILEGES WRITE_SCHEMA on root.a.b")); // grant privilege to grant Assert.assertThrows( SQLException.class, - () -> userStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES on root.a.b")); - - adminStmt.execute("GRANT USER tempuser PRIVILEGES GRANT_USER_PRIVILEGE on root.**"); - userStmt.execute("GRANT USER tempuser PRIVILEGES DELETE_TIMESERIES on root.**"); - - // grant privilege to revoke - Assert.assertThrows( - SQLException.class, - () -> userStmt.execute("REVOKE USER tempuser PRIVILEGES DELETE_TIMESERIES on root.**")); + () -> userStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA on root.a.b")); - adminStmt.execute("GRANT USER tempuser PRIVILEGES REVOKE_USER_PRIVILEGE on root.**"); - userStmt.execute("REVOKE USER tempuser PRIVILEGES DELETE_TIMESERIES on root.**"); + adminStmt.execute("GRANT USER tempuser PRIVILEGES GRANT_PRIVILEGE on root.**"); + userStmt.execute("REVOKE USER tempuser PRIVILEGES WRITE_SCHEMA on root.**"); } } } @@ -273,23 +254,23 @@ public void createDeleteTimeSeriesTest() throws SQLException { // grant and revoke the user the privilege to create time series Assert.assertThrows(SQLException.class, () -> userStmt.execute("CREATE DATABASE root.a")); - adminStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_DATABASE ON root.a"); + adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a"); userStmt.execute("CREATE DATABASE root.a"); - adminStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_TIMESERIES ON root.a.b"); + adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a.b"); userStmt.execute("CREATE TIMESERIES root.a.b WITH DATATYPE=INT32,ENCODING=PLAIN"); // no privilege to create this one Assert.assertThrows(SQLException.class, () -> userStmt.execute("CREATE DATABASE root.b")); // privilege already exists Assert.assertThrows( SQLException.class, - () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_DATABASE ON root.a")); - // no privilege to create this one any more + () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a")); + // no privilege to create this one anymore Assert.assertThrows(SQLException.class, () -> userStmt.execute("CREATE DATABASE root.a")); // no privilege to create timeseries Assert.assertThrows(SQLException.class, () -> userStmt.execute("CREATE DATABASE root.a")); - adminStmt.execute("REVOKE USER tempuser PRIVILEGES CREATE_DATABASE ON root.a"); - // no privilege to create this one any more + adminStmt.execute("REVOKE USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a"); + // no privilege to create this one anymore Assert.assertThrows( SQLException.class, () -> @@ -297,11 +278,10 @@ public void createDeleteTimeSeriesTest() throws SQLException { // privilege already exists Assert.assertThrows( SQLException.class, - () -> - adminStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_TIMESERIES ON root.a.b")); + () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a.b")); - adminStmt.execute("REVOKE USER tempuser PRIVILEGES CREATE_TIMESERIES ON root.a.b"); - // no privilege to create this one any more + adminStmt.execute("REVOKE USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a.b"); + // no privilege to create this one anymore Assert.assertThrows( SQLException.class, () -> @@ -319,9 +299,9 @@ public void insertQueryTest() throws SQLException { try (Connection userCon = EnvFactory.getEnv().getConnection("tempuser", "temppw"); Statement userStmt = userCon.createStatement()) { - adminStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_DATABASE ON root.a"); + adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a"); userStmt.execute("CREATE DATABASE root.a"); - adminStmt.execute("GRANT USER tempuser PRIVILEGES CREATE_TIMESERIES ON root.a.b"); + adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA ON root.a.b"); userStmt.execute("CREATE TIMESERIES root.a.b WITH DATATYPE=INT32,ENCODING=PLAIN"); // grant privilege to insert @@ -329,25 +309,25 @@ public void insertQueryTest() throws SQLException { SQLException.class, () -> userStmt.execute("INSERT INTO root.a(timestamp, b) VALUES (1,100)")); - adminStmt.execute("GRANT USER tempuser PRIVILEGES INSERT_TIMESERIES on root.a.**"); + adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_DATA on root.a.**"); userStmt.execute("INSERT INTO root.a(timestamp, b) VALUES (1,100)"); // revoke privilege to insert - adminStmt.execute("REVOKE USER tempuser PRIVILEGES INSERT_TIMESERIES on root.a.**"); + adminStmt.execute("REVOKE USER tempuser PRIVILEGES WRITE_DATA on root.a.**"); Assert.assertThrows( SQLException.class, () -> userStmt.execute("INSERT INTO root.a(timestamp, b) VALUES (1,100)")); // grant privilege to query Assert.assertThrows(SQLException.class, () -> userStmt.execute("SELECT * from root.a")); - adminStmt.execute("GRANT USER tempuser PRIVILEGES READ_TIMESERIES on root.**"); + adminStmt.execute("GRANT USER tempuser PRIVILEGES READ_DATA on root.**"); ResultSet resultSet = userStmt.executeQuery("SELECT * from root.a"); resultSet.close(); resultSet = userStmt.executeQuery("SELECT LAST b from root.a"); resultSet.close(); // revoke privilege to query - adminStmt.execute("REVOKE USER tempuser PRIVILEGES READ_TIMESERIES on root.**"); + adminStmt.execute("REVOKE USER tempuser PRIVILEGES READ_DATA on root.**"); Assert.assertThrows(SQLException.class, () -> userStmt.execute("SELECT * from root.a")); } } @@ -366,7 +346,7 @@ public void rolePrivilegeTest() throws SQLException { adminStmt.execute("CREATE ROLE admin"); adminStmt.execute( - "GRANT ROLE admin PRIVILEGES CREATE_DATABASE,CREATE_TIMESERIES,DELETE_TIMESERIES,READ_TIMESERIES,INSERT_TIMESERIES on root.**"); + "GRANT ROLE admin PRIVILEGES WRITE_SCHEMA,READ_DATA,WRITE_DATA on root.**"); adminStmt.execute("GRANT admin TO tempuser"); userStmt.execute("CREATE DATABASE root.a"); @@ -377,13 +357,8 @@ public void rolePrivilegeTest() throws SQLException { ResultSet resultSet = userStmt.executeQuery("SELECT * FROM root.**"); resultSet.close(); - adminStmt.execute("REVOKE ROLE admin PRIVILEGES DELETE_TIMESERIES on root.**"); - - Assert.assertThrows( - SQLException.class, - () -> userStmt.execute("DELETE FROM root.* WHERE TIME <= 1000000000")); - - adminStmt.execute("GRANT USER tempuser PRIVILEGES READ_TIMESERIES on root.**"); + adminStmt.execute("REVOKE ROLE admin PRIVILEGES WRITE_SCHEMA on root.**"); + adminStmt.execute("GRANT USER tempuser PRIVILEGES READ_DATA on root.**"); adminStmt.execute("REVOKE admin FROM tempuser"); resultSet = userStmt.executeQuery("SELECT * FROM root.**"); resultSet.close(); @@ -494,7 +469,7 @@ public void testListUserPrivileges() throws SQLException { try { adminStmt.execute("CREATE USER user1 'password1'"); - adminStmt.execute("GRANT USER user1 PRIVILEGES READ_TIMESERIES ON root.a.b"); + adminStmt.execute("GRANT USER user1 PRIVILEGES READ_SCHEMA ON root.a.b"); adminStmt.execute("CREATE ROLE role1"); adminStmt.execute( "GRANT ROLE role1 PRIVILEGES READ_TIMESERIES,INSERT_TIMESERIES,DELETE_TIMESERIES ON root.a.b.c"); @@ -504,27 +479,27 @@ public void testListUserPrivileges() throws SQLException { ResultSet resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1"); String ans = - ",root.a.b : READ_TIMESERIES" + ",root.a.b : READ_SCHEMA" + ",\n" - + "role1,root.a.b.c : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES" + + "role1,root.a.b.c : WRITE_DATA READ_SCHEMA" + ",\n" - + "role1,root.d.b.c : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES" + + "role1,root.d.b.c : WRITE_DATA READ_SCHEMA" + ",\n"; try { validateResultSet(resultSet, ans); resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1 ON root.a.b.c"); - ans = "role1,root.a.b.c : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES,\n"; + ans = "role1,root.a.b.c : WRITE_DATA READ_SCHEMA,\n"; validateResultSet(resultSet, ans); adminStmt.execute("REVOKE role1 from user1"); resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1"); - ans = ",root.a.b : READ_TIMESERIES,\n"; + ans = ",root.a.b : READ_SCHEMA,\n"; validateResultSet(resultSet, ans); resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1 ON root.a.**"); - ans = ",root.a.b : READ_TIMESERIES,\n"; + ans = ",root.a.b : READ_SCHEMA,\n"; validateResultSet(resultSet, ans); } finally { resultSet.close(); @@ -548,31 +523,24 @@ public void testListRolePrivileges() throws SQLException { // not granted list role privilege, should return empty validateResultSet(resultSet, ans); - adminStmt.execute( - "GRANT ROLE role1 PRIVILEGES READ_TIMESERIES,INSERT_TIMESERIES,DELETE_TIMESERIES ON root.a.b.c"); - adminStmt.execute( - "GRANT ROLE role1 PRIVILEGES READ_TIMESERIES,INSERT_TIMESERIES,DELETE_TIMESERIES ON root.d.b.c"); + adminStmt.execute("GRANT ROLE role1 PRIVILEGES READ_SCHEMA,WRITE_DATA ON root.a.b.c"); + adminStmt.execute("GRANT ROLE role1 PRIVILEGES READ_SCHEMA,WRITE_DATA ON root.d.b.c"); resultSet = adminStmt.executeQuery("LIST PRIVILEGES ROLE role1"); - ans = - "root.a.b.c : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES,\n" - + "root.d.b.c : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES,\n"; + ans = "root.a.b.c : WRITE_DATA READ_SCHEMA,\n" + "root.d.b.c : WRITE_DATA READ_SCHEMA,\n"; validateResultSet(resultSet, ans); resultSet = adminStmt.executeQuery("LIST PRIVILEGES ROLE role1 ON root.a.b.c"); - ans = "root.a.b.c : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES,\n"; + ans = "root.a.b.c : WRITE_DATA READ_SCHEMA,\n"; validateResultSet(resultSet, ans); - adminStmt.execute( - "REVOKE ROLE role1 PRIVILEGES INSERT_TIMESERIES,DELETE_TIMESERIES ON root.a.b.c"); + adminStmt.execute("REVOKE ROLE role1 PRIVILEGES READ_SCHEMA,WRITE_DATA ON root.a.b.c"); resultSet = adminStmt.executeQuery("LIST PRIVILEGES ROLE role1"); - ans = - "root.a.b.c : READ_TIMESERIES,\n" - + "root.d.b.c : INSERT_TIMESERIES READ_TIMESERIES DELETE_TIMESERIES,\n"; + ans = "root.d.b.c : WRITE_DATA READ_SCHEMA,\n"; validateResultSet(resultSet, ans); resultSet = adminStmt.executeQuery("LIST PRIVILEGES ROLE role1 ON root.a.b.c"); - ans = "root.a.b.c : READ_TIMESERIES,\n"; + ans = ""; validateResultSet(resultSet, ans); } finally { resultSet.close(); @@ -734,7 +702,7 @@ public void testListUserPrivilege() throws SQLException { try { Assert.assertThrows(SQLException.class, () -> userStmt.execute("LIST USER")); // with list user privilege - adminStmt.execute("GRANT USER tempuser PRIVILEGES LIST_USER on root.**"); + adminStmt.execute("GRANT USER tempuser PRIVILEGES USER_PRIVILEGE on root.**"); ResultSet resultSet = userStmt.executeQuery("LIST USER"); String ans = "root,\n" @@ -777,7 +745,7 @@ public void testExecuteBatchWithPrivilege1() throws SQLException { try (Connection adminCon = EnvFactory.getEnv().getConnection(); Statement adminStmt = adminCon.createStatement()) { adminStmt.execute("CREATE USER tempuser 'temppw'"); - adminStmt.execute("GRANT USER tempuser PRIVILEGES INSERT_TIMESERIES on root.sg1.**"); + adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_DATA on root.sg1.**"); try (Connection userCon = EnvFactory.getEnv().getConnection("tempuser", "temppw"); Statement userStatement = userCon.createStatement()) { @@ -814,8 +782,7 @@ public void testSelectUDTF() throws SQLException { Statement adminStatement = adminConnection.createStatement()) { adminStatement.execute("CREATE USER a_application 'a_application'"); adminStatement.execute("CREATE ROLE application_role"); - adminStatement.execute( - "GRANT ROLE application_role PRIVILEGES READ_TIMESERIES ON root.test.**"); + adminStatement.execute("GRANT ROLE application_role PRIVILEGES READ_DATA ON root.test.**"); adminStatement.execute("GRANT application_role TO a_application"); adminStatement.execute("INSERT INTO root.test(time, s1, s2, s3) VALUES(1, 2, 3, 4)"); @@ -839,8 +806,7 @@ public void testGrantUserRole() throws SQLException { adminStatement.execute("CREATE USER user01 'pass1234'"); adminStatement.execute("CREATE USER user02 'pass1234'"); adminStatement.execute("CREATE ROLE manager"); - adminStatement.execute("GRANT USER user01 PRIVILEGES GRANT_USER_ROLE on root.**"); - adminStatement.execute("GRANT USER user01 PRIVILEGES REVOKE_USER_ROLE on root.**"); + adminStatement.execute("GRANT USER user01 PRIVILEGES GRANT_PRIVILEGE on root.**"); } try (Connection userCon = EnvFactory.getEnv().getConnection("user01", "pass1234"); diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/cq/IoTDBCQIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/cq/IoTDBCQIT.java index 1168efd62be5..bad025be5b04 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/cq/IoTDBCQIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/cq/IoTDBCQIT.java @@ -541,11 +541,11 @@ public void testShowAuth() { } catch (Exception e) { assertEquals( TSStatusCode.NO_PERMISSION.getStatusCode() - + ": No permissions for this operation, please add privilege SHOW_CONTINUOUS_QUERIES", + + ": No permissions for this operation, please add privilege CONTINUOUS_QUERY_PRIVILEGE", e.getMessage()); } - statement.execute("GRANT USER `zmty` PRIVILEGES SHOW_CONTINUOUS_QUERIES"); + statement.execute("GRANT USER `zmty` PRIVILEGES CONTINUOUS_QUERY_PRIVILEGE"); try (ResultSet resultSet = statement2.executeQuery("show CQS")) { diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/selectinto/IoTDBSelectIntoIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/selectinto/IoTDBSelectIntoIT.java index 4c0b47d1617e..354a4cae81fc 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/selectinto/IoTDBSelectIntoIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/selectinto/IoTDBSelectIntoIT.java @@ -550,7 +550,7 @@ public void testPermission1() throws SQLException { try (Connection adminCon = EnvFactory.getEnv().getConnection(); Statement adminStmt = adminCon.createStatement()) { adminStmt.execute("CREATE USER tempuser1 'temppw1'"); - adminStmt.execute("GRANT USER tempuser1 PRIVILEGES INSERT_TIMESERIES on root.sg_bk.**;"); + adminStmt.execute("GRANT USER tempuser1 PRIVILEGES WRITE_DATA on root.sg_bk.**;"); try (Connection userCon = EnvFactory.getEnv().getConnection("tempuser1", "temppw1"); Statement userStmt = userCon.createStatement()) { @@ -561,8 +561,7 @@ public void testPermission1() throws SQLException { Assert.assertTrue( e.getMessage(), e.getMessage() - .contains( - "No permissions for this operation, please add privilege READ_TIMESERIES")); + .contains("No permissions for this operation, please add privilege READ_SCHEMA")); } } } diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/trigger/IoTDBTriggerManagementIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/trigger/IoTDBTriggerManagementIT.java index 00a2530d8caf..45de743186d4 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/trigger/IoTDBTriggerManagementIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/trigger/IoTDBTriggerManagementIT.java @@ -546,11 +546,12 @@ public void testCreateAuth() { } catch (Exception e) { assertEquals( TSStatusCode.NO_PERMISSION.getStatusCode() - + ": No permissions for this operation, please add privilege CREATE_TRIGGER", + + ": No permissions for this operation, please add privilege TRIGGER_PRIVILEGE", e.getMessage()); } - statement.execute("GRANT USER `zmty` PRIVILEGES CREATE_TRIGGER on root.test.stateless.a"); + statement.execute( + "GRANT USER `zmty` PRIVILEGES TRIGGER_PRIVILEGE on root.test.stateless.a"); try { statement2.execute( @@ -576,7 +577,7 @@ public void testCreateAuth() { } catch (Exception e) { assertEquals( TSStatusCode.NO_PERMISSION.getStatusCode() - + ": No permissions for this operation, please add privilege CREATE_TRIGGER", + + ": No permissions for this operation, please add privilege TRIGGER_PRIVILEGE", e.getMessage()); } } @@ -608,11 +609,12 @@ public void testDropAuth() { } catch (Exception e) { assertEquals( TSStatusCode.NO_PERMISSION.getStatusCode() - + ": No permissions for this operation, please add privilege DROP_TRIGGER", + + ": No permissions for this operation, please add privilege TRIGGER_PRIVILEGE", e.getMessage()); } - statement.execute("GRANT USER `zmty` PRIVILEGES CREATE_TRIGGER on root.test.stateless.b"); + statement.execute( + "GRANT USER `zmty` PRIVILEGES TRIGGER_PRIVILEGE on root.test.stateless.b"); try { statement2.execute("drop trigger " + STATELESS_TRIGGER_BEFORE_INSERTION_PREFIX + "a"); @@ -620,11 +622,12 @@ public void testDropAuth() { } catch (Exception e) { assertEquals( TSStatusCode.NO_PERMISSION.getStatusCode() - + ": No permissions for this operation, please add privilege DROP_TRIGGER", + + ": No permissions for this operation, please add privilege TRIGGER_PRIVILEGE", e.getMessage()); } - statement.execute("GRANT USER `zmty` PRIVILEGES DROP_TRIGGER on root.test.stateless.a"); + statement.execute( + "GRANT USER `zmty` PRIVILEGES TRIGGER_PRIVILEGE on root.test.stateless.a"); try { statement2.execute("drop trigger " + STATELESS_TRIGGER_BEFORE_INSERTION_PREFIX + "a"); diff --git a/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4 b/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4 index 9ed929a9b06a..0dbb231becb8 100644 --- a/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4 +++ b/iotdb-core/antlr/src/main/antlr4/org/apache/iotdb/db/qp/sql/SqlLexer.g4 @@ -853,140 +853,65 @@ ELSE // Privileges Keywords PRIVILEGE_VALUE - : SET_STORAGE_GROUP | DELETE_STORAGE_GROUP | CREATE_DATABASE | DELETE_DATABASE - | CREATE_TIMESERIES | INSERT_TIMESERIES | READ_TIMESERIES | DELETE_TIMESERIES | ALTER_TIMESERIES - | CREATE_USER | DELETE_USER | MODIFY_PASSWORD | LIST_USER - | GRANT_USER_PRIVILEGE | REVOKE_USER_PRIVILEGE | GRANT_USER_ROLE | REVOKE_USER_ROLE - | CREATE_ROLE | DELETE_ROLE | LIST_ROLE | GRANT_ROLE_PRIVILEGE | REVOKE_ROLE_PRIVILEGE - | CREATE_FUNCTION | DROP_FUNCTION | CREATE_TRIGGER | DROP_TRIGGER | START_TRIGGER | STOP_TRIGGER - | CREATE_CONTINUOUS_QUERY | DROP_CONTINUOUS_QUERY | SHOW_CONTINUOUS_QUERIES - | APPLY_TEMPLATE | UPDATE_TEMPLATE | READ_TEMPLATE | READ_TEMPLATE_APPLICATION - | CREATE_PIPEPLUGIN | DROP_PIPEPLUGIN | SHOW_PIPEPLUGINS | CREATE_PIPE | START_PIPE | STOP_PIPE | DROP_PIPE | SHOW_PIPES - | CREATE_VIEW | ALTER_VIEW | RENAME_VIEW | DELETE_VIEW + : READ_DATA + | WRITE_DATA + | READ_SCHEMA + | WRITE_SCHEMA + | USER_PRIVILEGE + | ROLE_PRIVILEGE + | GRANT_PRIVILEGE + | ALTER_PASSWORD + | TRIGGER_PRIVILEGE + | CONTINUOUS_QUERY_PRIVILEGE + | PIPE_PRIVILEGE ; -SET_STORAGE_GROUP - : S E T '_' S T O R A G E '_' G R O U P - ; - -DELETE_STORAGE_GROUP - : D E L E T E '_' S T O R A G E '_' G R O U P - ; - -CREATE_DATABASE - : C R E A T E '_' D A T A B A S E - ; - -DELETE_DATABASE - : D E L E T E '_' D A T A B A S E - ; - -CREATE_TIMESERIES - : C R E A T E '_' T I M E S E R I E S +READ_DATA + : R E A D '_' D A T A ; -INSERT_TIMESERIES - : I N S E R T '_' T I M E S E R I E S +WRITE_DATA + : W R I T E '_' D A T A ; -READ_TIMESERIES - : R E A D '_' T I M E S E R I E S +READ_SCHEMA + : R E A D '_' S C H E M A ; -DELETE_TIMESERIES - : D E L E T E '_' T I M E S E R I E S +WRITE_SCHEMA + : W R I T E '_' S C H E M A ; -ALTER_TIMESERIES - : A L T E R '_' T I M E S E R I E S +USER_PRIVILEGE + : U S E R '_' P R I V I L E G E ; -CREATE_USER - : C R E A T E '_' U S E R +ROLE_PRIVILEGE + : R O L E '_' P R I V I L E G E ; -DELETE_USER - : D E L E T E '_' U S E R +GRANT_PRIVILEGE + : G R A N T '_' P R I V I L E G E ; -MODIFY_PASSWORD - : M O D I F Y '_' P A S S W O R D +ALTER_PASSWORD + : A L T E R '_' P A S S W O R D ; -LIST_USER - : L I S T '_' U S E R +TRIGGER_PRIVILEGE + : T R I G G E R '_' P R I V I L E G E ; -GRANT_USER_PRIVILEGE - : G R A N T '_' U S E R '_' P R I V I L E G E +CONTINUOUS_QUERY_PRIVILEGE + : C O N T I N U O U S '_' Q U E R Y '_' P R I V I L E G E ; -REVOKE_USER_PRIVILEGE - : R E V O K E '_' U S E R '_' P R I V I L E G E +PIPE_PRIVILEGE + : P I P E '_' P R I V I L E G E ; -GRANT_USER_ROLE - : G R A N T '_' U S E R '_' R O L E - ; - -REVOKE_USER_ROLE - : R E V O K E '_' U S E R '_' R O L E - ; - -CREATE_ROLE - : C R E A T E '_' R O L E - ; - -DELETE_ROLE - : D E L E T E '_' R O L E - ; - -LIST_ROLE - : L I S T '_' R O L E - ; - -GRANT_ROLE_PRIVILEGE - : G R A N T '_' R O L E '_' P R I V I L E G E - ; - -REVOKE_ROLE_PRIVILEGE - : R E V O K E '_' R O L E '_' P R I V I L E G E - ; - -CREATE_FUNCTION - : C R E A T E '_' F U N C T I O N - ; - -DROP_FUNCTION - : D R O P '_' F U N C T I O N - ; - -CREATE_TRIGGER - : C R E A T E '_' T R I G G E R - ; - -DROP_TRIGGER - : D R O P '_' T R I G G E R - ; - -START_TRIGGER - : S T A R T '_' T R I G G E R - ; - -STOP_TRIGGER - : S T O P '_' T R I G G E R - ; - -CREATE_CONTINUOUS_QUERY - : C R E A T E '_' C O N T I N U O U S '_' Q U E R Y - ; - -DROP_CONTINUOUS_QUERY - : D R O P '_' C O N T I N U O U S '_' Q U E R Y - ; - -SHOW_CONTINUOUS_QUERIES - : S H O W '_' C O N T I N U O U S '_' Q U E R I E S +SET_STORAGE_GROUP + : S E T '_' S T O R A G E '_' G R O U P ; SCHEMA_REPLICATION_FACTOR @@ -1009,69 +934,6 @@ DATA_REGION_GROUP_NUM : D A T A '_' R E G I O N '_' G R O U P '_' N U M ; -APPLY_TEMPLATE - : A P P L Y '_' T E M P L A T E - ; - -UPDATE_TEMPLATE - : U P D A T E '_' T E M P L A T E - ; - -READ_TEMPLATE - : R E A D '_' T E M P L A T E - ; - -READ_TEMPLATE_APPLICATION - : R E A D '_' T E M P L A T E '_' A P P L I C A T I O N - ; - -CREATE_PIPEPLUGIN - : C R E A T E '_' P I P E P L U G I N - ; - -DROP_PIPEPLUGIN - : D R O P '_' P I P E P L U G I N - ; - -SHOW_PIPEPLUGINS - : S H O W '_' P I P E P L U G I N S - ; -CREATE_PIPE - : C R E A T E '_' P I P E - ; - -START_PIPE - : S T A R T '_' P I P E - ; - -STOP_PIPE - : S T O P '_' P I P E - ; - -DROP_PIPE - : D R O P '_' P I P E - ; - -SHOW_PIPES - : S H O W '_' P I P E S - ; - -CREATE_VIEW - : C R E A T E '_' V I E W - ; - -ALTER_VIEW - : A L T E R '_' V I E W - ; - -RENAME_VIEW - : R E N A M E '_' V I E W - ; - -DELETE_VIEW - : D E L E T E '_' V I E W - ; - /** * 3. Operators */ diff --git a/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/consensus/request/ConfigPhysicalPlanSerDeTest.java b/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/consensus/request/ConfigPhysicalPlanSerDeTest.java index 572c662e048f..02d1a73dfdc0 100644 --- a/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/consensus/request/ConfigPhysicalPlanSerDeTest.java +++ b/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/consensus/request/ConfigPhysicalPlanSerDeTest.java @@ -533,8 +533,7 @@ public void AuthorPlanTest() throws IOException, AuthException, IllegalPathExcep AuthorPlan req0; AuthorPlan req1; Set permissions = new HashSet<>(); - permissions.add(PrivilegeType.GRANT_USER_PRIVILEGE.ordinal()); - permissions.add(PrivilegeType.REVOKE_USER_ROLE.ordinal()); + permissions.add(PrivilegeType.GRANT_PRIVILEGE.ordinal()); // create user req0 = diff --git a/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java b/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java index ff5b2f337a2f..699969f8ff10 100644 --- a/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java +++ b/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java @@ -89,11 +89,10 @@ public void permissionTest() throws TException, AuthException, IllegalPathExcept TCheckUserPrivilegesReq checkUserPrivilegesReq; Set privilegeList = new HashSet<>(); - privilegeList.add(PrivilegeType.DELETE_USER.ordinal()); - privilegeList.add(PrivilegeType.CREATE_USER.ordinal()); + privilegeList.add(PrivilegeType.USER_PRIVILEGE.ordinal()); Set revokePrivilege = new HashSet<>(); - revokePrivilege.add(PrivilegeType.DELETE_USER.ordinal()); + revokePrivilege.add(PrivilegeType.USER_PRIVILEGE.ordinal()); Map> permissionInfo; List privilege = new ArrayList<>(); @@ -125,7 +124,7 @@ public void permissionTest() throws TException, AuthException, IllegalPathExcept // check user privileges status = authorInfo - .checkUserPrivileges("user0", paths, PrivilegeType.DELETE_USER.ordinal()) + .checkUserPrivileges("user0", paths, PrivilegeType.USER_PRIVILEGE.ordinal()) .getStatus(); Assert.assertEquals(TSStatusCode.NO_PERMISSION.getStatusCode(), status.getCode()); @@ -218,7 +217,7 @@ public void permissionTest() throws TException, AuthException, IllegalPathExcept // check user privileges status = authorInfo - .checkUserPrivileges("user0", paths, PrivilegeType.DELETE_USER.ordinal()) + .checkUserPrivileges("user0", paths, PrivilegeType.USER_PRIVILEGE.ordinal()) .getStatus(); Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode()); @@ -513,18 +512,18 @@ public void testMultPathsPermission() throws TException, AuthException, IllegalP AuthorPlan authorPlan; Set privilegeList = new HashSet<>(); - privilegeList.add(PrivilegeType.INSERT_TIMESERIES.ordinal()); - privilegeList.add(PrivilegeType.READ_TIMESERIES.ordinal()); + privilegeList.add(PrivilegeType.WRITE_DATA.ordinal()); + privilegeList.add(PrivilegeType.READ_DATA.ordinal()); Map> permissionInfo; List userPrivilege = new ArrayList<>(); - userPrivilege.add("root.sg.** : INSERT_TIMESERIES READ_TIMESERIES"); - userPrivilege.add("root.ln.** : INSERT_TIMESERIES READ_TIMESERIES"); + userPrivilege.add("root.sg.** : READ_DATA WRITE_DATA"); + userPrivilege.add("root.ln.** : READ_DATA WRITE_DATA"); Collections.sort(userPrivilege); List rolePrivilege = new ArrayList<>(); - rolePrivilege.add("root.abc.** : INSERT_TIMESERIES READ_TIMESERIES"); - rolePrivilege.add("root.role_1.** : INSERT_TIMESERIES READ_TIMESERIES"); + rolePrivilege.add("root.abc.** : READ_DATA WRITE_DATA"); + rolePrivilege.add("root.role_1.** : READ_DATA WRITE_DATA"); Collections.sort(rolePrivilege); List allPrivilege = new ArrayList<>(); @@ -579,7 +578,7 @@ public void testMultPathsPermission() throws TException, AuthException, IllegalP // check user privileges status = authorInfo - .checkUserPrivileges("user0", userPaths, PrivilegeType.INSERT_TIMESERIES.ordinal()) + .checkUserPrivileges("user0", userPaths, PrivilegeType.WRITE_DATA.ordinal()) .getStatus(); Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode()); diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java index 49e441934441..307a229a6c7d 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/auth/AuthorityChecker.java @@ -74,7 +74,7 @@ public static boolean checkPermission( int permission = translateToPermissionId(type); if (permission == -1) { return false; - } else if (permission == PrivilegeType.MODIFY_PASSWORD.ordinal() + } else if (permission == PrivilegeType.ALTER_PASSWORD.ordinal() && username.equals(targetUser)) { // a user can modify his own password return true; @@ -146,43 +146,31 @@ public static boolean checkAuthorization(Statement statement, String username) private static int translateToPermissionId(StatementType type) { switch (type) { - case CREATE_ROLE: - return PrivilegeType.CREATE_ROLE.ordinal(); - case CREATE_USER: - return PrivilegeType.CREATE_USER.ordinal(); - case DELETE_USER: - return PrivilegeType.DELETE_USER.ordinal(); - case DELETE_ROLE: - return PrivilegeType.DELETE_ROLE.ordinal(); - case MODIFY_PASSWORD: - return PrivilegeType.MODIFY_PASSWORD.ordinal(); - case GRANT_USER_PRIVILEGE: - return PrivilegeType.GRANT_USER_PRIVILEGE.ordinal(); - case GRANT_ROLE_PRIVILEGE: - return PrivilegeType.GRANT_ROLE_PRIVILEGE.ordinal(); - case REVOKE_USER_PRIVILEGE: - return PrivilegeType.REVOKE_USER_PRIVILEGE.ordinal(); - case REVOKE_ROLE_PRIVILEGE: - return PrivilegeType.REVOKE_ROLE_PRIVILEGE.ordinal(); - case GRANT_USER_ROLE: - return PrivilegeType.GRANT_USER_ROLE.ordinal(); - case REVOKE_USER_ROLE: - return PrivilegeType.REVOKE_USER_ROLE.ordinal(); - case STORAGE_GROUP_SCHEMA: + case SHOW_SCHEMA_TEMPLATE: + case SHOW_NODES_IN_SCHEMA_TEMPLATE: + case SHOW_PATH_SET_SCHEMA_TEMPLATE: + case SHOW_PATH_USING_SCHEMA_TEMPLATE: + return PrivilegeType.READ_SCHEMA.ordinal(); case TTL: - return PrivilegeType.CREATE_DATABASE.ordinal(); + case STORAGE_GROUP_SCHEMA: case DELETE_STORAGE_GROUP: - return PrivilegeType.DELETE_DATABASE.ordinal(); case CREATE_TIMESERIES: case CREATE_ALIGNED_TIMESERIES: case CREATE_MULTI_TIMESERIES: - return PrivilegeType.CREATE_TIMESERIES.ordinal(); case DELETE_TIMESERIES: - case DELETE: case DROP_INDEX: - return PrivilegeType.DELETE_TIMESERIES.ordinal(); case ALTER_TIMESERIES: - return PrivilegeType.ALTER_TIMESERIES.ordinal(); + case CREATE_TEMPLATE: + case DROP_TEMPLATE: + case SET_TEMPLATE: + case ACTIVATE_TEMPLATE: + case DEACTIVATE_TEMPLATE: + case UNSET_TEMPLATE: + case CREATE_LOGICAL_VIEW: + case ALTER_LOGICAL_VIEW: + case RENAME_LOGICAL_VIEW: + case DELETE_LOGICAL_VIEW: + return PrivilegeType.WRITE_SCHEMA.ordinal(); case SHOW: case QUERY: case GROUP_BY_TIME: @@ -195,75 +183,55 @@ private static int translateToPermissionId(StatementType type) { case GROUP_BY_FILL: case SELECT_INTO: case COUNT: - return PrivilegeType.READ_TIMESERIES.ordinal(); + case CREATE_FUNCTION: + case DROP_FUNCTION: + return PrivilegeType.READ_DATA.ordinal(); case INSERT: + case DELETE: case LOAD_DATA: case CREATE_INDEX: case BATCH_INSERT: case BATCH_INSERT_ONE_DEVICE: case BATCH_INSERT_ROWS: case MULTI_BATCH_INSERT: - return PrivilegeType.INSERT_TIMESERIES.ordinal(); - case LIST_ROLE: - case LIST_ROLE_USERS: - case LIST_ROLE_PRIVILEGE: - return PrivilegeType.LIST_ROLE.ordinal(); + return PrivilegeType.WRITE_DATA.ordinal(); + case CREATE_USER: + case DELETE_USER: case LIST_USER: case LIST_USER_ROLES: case LIST_USER_PRIVILEGE: - return PrivilegeType.LIST_USER.ordinal(); - case CREATE_FUNCTION: - return PrivilegeType.CREATE_FUNCTION.ordinal(); - case DROP_FUNCTION: - return PrivilegeType.DROP_FUNCTION.ordinal(); + return PrivilegeType.USER_PRIVILEGE.ordinal(); + case CREATE_ROLE: + case DELETE_ROLE: + case LIST_ROLE: + case LIST_ROLE_USERS: + case LIST_ROLE_PRIVILEGE: + return PrivilegeType.ROLE_PRIVILEGE.ordinal(); + case MODIFY_PASSWORD: + return PrivilegeType.ALTER_PASSWORD.ordinal(); + case GRANT_USER_PRIVILEGE: + case REVOKE_USER_PRIVILEGE: + case GRANT_ROLE_PRIVILEGE: + case REVOKE_ROLE_PRIVILEGE: + case GRANT_USER_ROLE: + case REVOKE_USER_ROLE: + return PrivilegeType.GRANT_PRIVILEGE.ordinal(); case CREATE_TRIGGER: - return PrivilegeType.CREATE_TRIGGER.ordinal(); case DROP_TRIGGER: - return PrivilegeType.DROP_TRIGGER.ordinal(); + return PrivilegeType.TRIGGER_PRIVILEGE.ordinal(); case CREATE_CONTINUOUS_QUERY: - return PrivilegeType.CREATE_CONTINUOUS_QUERY.ordinal(); case DROP_CONTINUOUS_QUERY: - return PrivilegeType.DROP_CONTINUOUS_QUERY.ordinal(); - case CREATE_TEMPLATE: - case DROP_TEMPLATE: - return PrivilegeType.UPDATE_TEMPLATE.ordinal(); - case SET_TEMPLATE: - case ACTIVATE_TEMPLATE: - case DEACTIVATE_TEMPLATE: - case UNSET_TEMPLATE: - return PrivilegeType.APPLY_TEMPLATE.ordinal(); - case SHOW_SCHEMA_TEMPLATE: - case SHOW_NODES_IN_SCHEMA_TEMPLATE: - return PrivilegeType.READ_TEMPLATE.ordinal(); - case SHOW_PATH_SET_SCHEMA_TEMPLATE: - case SHOW_PATH_USING_SCHEMA_TEMPLATE: - return PrivilegeType.READ_TEMPLATE_APPLICATION.ordinal(); case SHOW_CONTINUOUS_QUERIES: - return PrivilegeType.SHOW_CONTINUOUS_QUERIES.ordinal(); + return PrivilegeType.CONTINUOUS_QUERY_PRIVILEGE.ordinal(); case CREATE_PIPEPLUGIN: - return PrivilegeType.CREATE_PIPEPLUGIN.ordinal(); case DROP_PIPEPLUGIN: - return PrivilegeType.DROP_PIPEPLUGIN.ordinal(); case SHOW_PIPEPLUGINS: - return PrivilegeType.SHOW_PIPEPLUGINS.ordinal(); case CREATE_PIPE: - return PrivilegeType.CREATE_PIPE.ordinal(); case START_PIPE: - return PrivilegeType.START_PIPE.ordinal(); case STOP_PIPE: - return PrivilegeType.STOP_PIPE.ordinal(); case DROP_PIPE: - return PrivilegeType.DROP_PIPE.ordinal(); case SHOW_PIPES: - return PrivilegeType.SHOW_PIPES.ordinal(); - case CREATE_LOGICAL_VIEW: - return PrivilegeType.CREATE_VIEW.ordinal(); - case ALTER_LOGICAL_VIEW: - return PrivilegeType.ALTER_VIEW.ordinal(); - case RENAME_LOGICAL_VIEW: - return PrivilegeType.RENAME_VIEW.ordinal(); - case DELETE_LOGICAL_VIEW: - return PrivilegeType.DELETE_VIEW.ordinal(); + return PrivilegeType.PIPE_PRIVILEGE.ordinal(); default: logger.error("Unrecognizable operator type ({}) for AuthorityChecker.", type); return -1; diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/parser/ASTVisitor.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/parser/ASTVisitor.java index 83dc516aa9fa..65a70e0a9657 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/parser/ASTVisitor.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/parser/ASTVisitor.java @@ -2253,12 +2253,6 @@ private void checkGrantRevokePrivileges(String[] privileges, List n boolean pathRelevant = true; String errorPrivilegeName = ""; for (String privilege : privileges) { - if ("SET_STORAGE_GROUP".equalsIgnoreCase(privilege)) { - privilege = PrivilegeType.CREATE_DATABASE.name(); - } - if ("DELETE_STORAGE_GROUP".equalsIgnoreCase(privilege)) { - privilege = PrivilegeType.DELETE_DATABASE.name(); - } if (!PrivilegeType.valueOf(privilege.toUpperCase()).isPathRelevant()) { pathRelevant = false; errorPrivilegeName = privilege.toUpperCase(); diff --git a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/AuthorizerManagerTest.java b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/AuthorizerManagerTest.java index 2fac0adae4d6..e77feb08b22f 100644 --- a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/AuthorizerManagerTest.java +++ b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/AuthorizerManagerTest.java @@ -54,8 +54,8 @@ public void permissionCacheTest() throws IllegalPathException { Set privilegesIds = new HashSet<>(); PathPrivilege privilege = new PathPrivilege(); List privilegeList = new ArrayList<>(); - privilegesIds.add(PrivilegeType.CREATE_ROLE.ordinal()); - privilegesIds.add(PrivilegeType.REVOKE_USER_ROLE.ordinal()); + privilegesIds.add(PrivilegeType.ROLE_PRIVILEGE.ordinal()); + privilegesIds.add(PrivilegeType.GRANT_PRIVILEGE.ordinal()); privilege.setPath(new PartialPath("root.ln")); privilege.setPrivileges(privilegesIds); privilegeList.add(privilege); @@ -108,7 +108,7 @@ public void permissionCacheTest() throws IllegalPathException { .checkUserPrivileges( "user", Collections.singletonList(new PartialPath("root.ln")), - PrivilegeType.CREATE_ROLE.ordinal()) + PrivilegeType.ROLE_PRIVILEGE.ordinal()) .getCode()); // User does not have permission Assert.assertEquals( @@ -117,7 +117,7 @@ public void permissionCacheTest() throws IllegalPathException { .checkUserPrivileges( "user", Collections.singletonList(new PartialPath("root.ln")), - PrivilegeType.CREATE_USER.ordinal()) + PrivilegeType.USER_PRIVILEGE.ordinal()) .getCode()); // Authenticate users with roles @@ -153,7 +153,7 @@ public void permissionCacheTest() throws IllegalPathException { .checkUserPrivileges( "user", Collections.singletonList(new PartialPath("root.ln")), - PrivilegeType.CREATE_ROLE.ordinal()) + PrivilegeType.ROLE_PRIVILEGE.ordinal()) .getCode()); // role does not have permission Assert.assertEquals( @@ -162,7 +162,7 @@ public void permissionCacheTest() throws IllegalPathException { .checkUserPrivileges( "user", Collections.singletonList(new PartialPath("root.ln")), - PrivilegeType.CREATE_USER.ordinal()) + PrivilegeType.USER_PRIVILEGE.ordinal()) .getCode()); authorityFetcher.getAuthorCache().invalidateCache(user.getName(), ""); diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java index 41b7252f5109..8aa3a959d770 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/entity/PrivilegeType.java @@ -21,55 +21,18 @@ /** This enum class contains all available privileges in IoTDB. */ public enum PrivilegeType { - CREATE_DATABASE(true), - INSERT_TIMESERIES(true), - @Deprecated - UPDATE_TIMESERIES(true), - READ_TIMESERIES(true), - CREATE_TIMESERIES(true), - DELETE_TIMESERIES(true), - CREATE_USER, - DELETE_USER, - MODIFY_PASSWORD, - LIST_USER, - GRANT_USER_PRIVILEGE, - REVOKE_USER_PRIVILEGE, - GRANT_USER_ROLE, - REVOKE_USER_ROLE, - CREATE_ROLE, - DELETE_ROLE, - LIST_ROLE, - GRANT_ROLE_PRIVILEGE, - REVOKE_ROLE_PRIVILEGE, - CREATE_FUNCTION, - DROP_FUNCTION, - CREATE_TRIGGER(true), - DROP_TRIGGER(true), - START_TRIGGER(true), - STOP_TRIGGER(true), - CREATE_CONTINUOUS_QUERY, - DROP_CONTINUOUS_QUERY, - ALL, - DELETE_DATABASE(true), - ALTER_TIMESERIES(true), - UPDATE_TEMPLATE, - READ_TEMPLATE, - APPLY_TEMPLATE(true), - READ_TEMPLATE_APPLICATION, - SHOW_CONTINUOUS_QUERIES, - CREATE_PIPEPLUGIN, - DROP_PIPEPLUGIN, - SHOW_PIPEPLUGINS, - CREATE_PIPE, - START_PIPE, - STOP_PIPE, - DROP_PIPE, - SHOW_PIPES, - CREATE_VIEW(true), - ALTER_VIEW(true), - RENAME_VIEW(true), - DELETE_VIEW(true), - ; + READ_DATA(true), + WRITE_DATA(true), + READ_SCHEMA(true), + WRITE_SCHEMA(true), + USER_PRIVILEGE, + ROLE_PRIVILEGE, + GRANT_PRIVILEGE, + ALTER_PASSWORD, + TRIGGER_PRIVILEGE(true), + CONTINUOUS_QUERY_PRIVILEGE, + PIPE_PRIVILEGE, + ALL; private static final int PRIVILEGE_COUNT = values().length; diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java index a1a3507e38e5..8c3ed6f2c030 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java @@ -53,6 +53,9 @@ public class AuthUtils { private static final int MIN_PASSWORD_LENGTH = 4; private static final int MIN_USERNAME_LENGTH = 4; private static final int MIN_ROLENAME_LENGTH = 4; + private static final int MIN_LENGTH = 4; + private static final int MAX_LENGTH = 32; + private static final String REX_PATTERN = "^[a-zA-Z][_0-9a-zA-Z]*$"; static { try { @@ -134,6 +137,23 @@ public static void validateRolename(String rolename) throws AuthException { } } + public static void validateNameOrPassword(String str) throws AuthException { + int length = str.length(); + if (length < MIN_LENGTH) { + throw new AuthException( + TSStatusCode.ILLEGAL_PARAMETER, + "The length of name or password must be greater than or equal to " + MIN_LENGTH); + } else if (length > MAX_LENGTH) { + throw new AuthException( + TSStatusCode.ILLEGAL_PARAMETER, + "The length of name or password must be less than or equal to " + MAX_LENGTH); + } else if (str.matches(REX_PATTERN)) { + throw new AuthException( + TSStatusCode.ILLEGAL_PARAMETER, + "The name or password must start with a letter and can only contain letters, numbers, and underscores"); + } + } + /** * Validate privilege * @@ -176,22 +196,11 @@ public static void validatePrivilegeOnPath(PartialPath path, int privilegeId) if (!path.equals(ROOT_PATH_PRIVILEGE_PATH)) { validatePath(path); switch (type) { - case READ_TIMESERIES: - case CREATE_DATABASE: - case DELETE_DATABASE: - case CREATE_TIMESERIES: - case DELETE_TIMESERIES: - case INSERT_TIMESERIES: - case ALTER_TIMESERIES: - case CREATE_TRIGGER: - case DROP_TRIGGER: - case START_TRIGGER: - case STOP_TRIGGER: - case APPLY_TEMPLATE: - case CREATE_VIEW: - case ALTER_VIEW: - case RENAME_VIEW: - case DELETE_VIEW: + case READ_SCHEMA: + case WRITE_SCHEMA: + case READ_DATA: + case WRITE_DATA: + case TRIGGER_PRIVILEGE: return; default: throw new AuthException( @@ -200,17 +209,10 @@ public static void validatePrivilegeOnPath(PartialPath path, int privilegeId) } } else { switch (type) { - case READ_TIMESERIES: - case CREATE_DATABASE: - case DELETE_DATABASE: - case CREATE_TIMESERIES: - case DELETE_TIMESERIES: - case INSERT_TIMESERIES: - case ALTER_TIMESERIES: - case CREATE_VIEW: - case ALTER_VIEW: - case RENAME_VIEW: - case DELETE_VIEW: + case READ_SCHEMA: + case WRITE_SCHEMA: + case READ_DATA: + case WRITE_DATA: validatePath(path); return; default: @@ -399,12 +401,6 @@ public static Set strToPermissions(String[] authorizationList) throws A PrivilegeType[] types = PrivilegeType.values(); for (String authorization : authorizationList) { boolean legal = false; - if ("SET_STORAGE_GROUP".equalsIgnoreCase(authorization)) { - authorization = PrivilegeType.CREATE_DATABASE.name(); - } - if ("DELETE_STORAGE_GROUP".equalsIgnoreCase(authorization)) { - authorization = PrivilegeType.DELETE_DATABASE.name(); - } for (PrivilegeType privilegeType : types) { if (authorization.equalsIgnoreCase(privilegeType.name())) { result.add(privilegeType.ordinal()); From 828484f3edc17a5930e24dc88b4f4e0f7fd29e0d Mon Sep 17 00:00:00 2001 From: spricoder Date: Thu, 6 Jul 2023 19:12:49 +0800 Subject: [PATCH 02/10] Fix test --- .../java/org/apache/iotdb/db/it/IoTDBAuthIT.java | 13 ++++++------- .../iotdb/db/it/selectinto/IoTDBSelectIntoIT.java | 7 +++---- 2 files changed, 9 insertions(+), 11 deletions(-) diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBAuthIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBAuthIT.java index a2d576731f0b..ae44cbf272f0 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBAuthIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBAuthIT.java @@ -192,12 +192,12 @@ public void illegalGrantRevokeUserTest() throws SQLException { Assert.assertThrows( SQLException.class, () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES NOT_A_PRIVILEGE on root.a")); - // duplicate grant adminStmt.execute("GRANT USER tempuser PRIVILEGES USER_PRIVILEGE on root.**"); + // duplicate grant Assert.assertThrows( SQLException.class, () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES USER_PRIVILEGE on root.**")); - // grant on a illegal seriesPath + // grant on an illegal seriesPath Assert.assertThrows( SQLException.class, () -> adminStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA on a.b")); @@ -218,7 +218,7 @@ public void illegalGrantRevokeUserTest() throws SQLException { Assert.assertThrows( SQLException.class, () -> adminStmt.execute("REVOKE USER tempuser1 PRIVILEGES USER_PRIVILEGE on root.**")); - // revoke on a illegal seriesPath + // revoke on an illegal seriesPath Assert.assertThrows( SQLException.class, () -> adminStmt.execute("REVOKE USER tempuser PRIVILEGES WRITE_SCHEMA on a.b")); @@ -236,6 +236,7 @@ public void illegalGrantRevokeUserTest() throws SQLException { () -> userStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA on root.a.b")); adminStmt.execute("GRANT USER tempuser PRIVILEGES GRANT_PRIVILEGE on root.**"); + userStmt.execute("GRANT USER tempuser PRIVILEGES WRITE_SCHEMA on root.**"); userStmt.execute("REVOKE USER tempuser PRIVILEGES WRITE_SCHEMA on root.**"); } } @@ -471,10 +472,8 @@ public void testListUserPrivileges() throws SQLException { adminStmt.execute("CREATE USER user1 'password1'"); adminStmt.execute("GRANT USER user1 PRIVILEGES READ_SCHEMA ON root.a.b"); adminStmt.execute("CREATE ROLE role1"); - adminStmt.execute( - "GRANT ROLE role1 PRIVILEGES READ_TIMESERIES,INSERT_TIMESERIES,DELETE_TIMESERIES ON root.a.b.c"); - adminStmt.execute( - "GRANT ROLE role1 PRIVILEGES READ_TIMESERIES,INSERT_TIMESERIES,DELETE_TIMESERIES ON root.d.b.c"); + adminStmt.execute("GRANT ROLE role1 PRIVILEGES READ_SCHEMA,WRITE_DATA ON root.a.b.c"); + adminStmt.execute("GRANT ROLE role1 PRIVILEGES READ_SCHEMA,WRITE_DATA ON root.d.b.c"); adminStmt.execute("GRANT role1 TO user1"); ResultSet resultSet = adminStmt.executeQuery("LIST PRIVILEGES USER user1"); diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/selectinto/IoTDBSelectIntoIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/selectinto/IoTDBSelectIntoIT.java index 354a4cae81fc..772db04f04bd 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/selectinto/IoTDBSelectIntoIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/selectinto/IoTDBSelectIntoIT.java @@ -561,7 +561,7 @@ public void testPermission1() throws SQLException { Assert.assertTrue( e.getMessage(), e.getMessage() - .contains("No permissions for this operation, please add privilege READ_SCHEMA")); + .contains("No permissions for this operation, please add privilege READ_DATA")); } } } @@ -571,7 +571,7 @@ public void testPermission2() throws SQLException { try (Connection adminCon = EnvFactory.getEnv().getConnection(); Statement adminStmt = adminCon.createStatement()) { adminStmt.execute("CREATE USER tempuser2 'temppw2'"); - adminStmt.execute("GRANT USER tempuser2 PRIVILEGES READ_TIMESERIES on root.sg.**;"); + adminStmt.execute("GRANT USER tempuser2 PRIVILEGES WRITE_DATA on root.sg.**;"); try (Connection userCon = EnvFactory.getEnv().getConnection("tempuser2", "temppw2"); Statement userStmt = userCon.createStatement()) { @@ -582,8 +582,7 @@ public void testPermission2() throws SQLException { Assert.assertTrue( e.getMessage(), e.getMessage() - .contains( - "No permissions for this operation, please add privilege INSERT_TIMESERIES")); + .contains("No permissions for this operation, please add privilege READ_DATA")); } } } From 74725640130dd83334903f4a367ddbe29df6ef69 Mon Sep 17 00:00:00 2001 From: spricoder Date: Fri, 7 Jul 2023 11:06:04 +0800 Subject: [PATCH 03/10] Fix UT and PermissionTest --- .../iotdb/confignode/it/IoTDBClusterAuthorityIT.java | 2 +- .../iotdb/db/auth/authorizer/LocalFileAuthorizerTest.java | 8 ++++---- .../apache/iotdb/db/auth/entity/PathPrivilegeTest.java | 4 ++-- .../java/org/apache/iotdb/db/auth/entity/RoleTest.java | 5 ++--- .../java/org/apache/iotdb/db/auth/entity/UserTest.java | 4 ++-- 5 files changed, 11 insertions(+), 12 deletions(-) diff --git a/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java b/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java index 9306f9cf2384..de74ff69a8c0 100644 --- a/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/confignode/it/IoTDBClusterAuthorityIT.java @@ -353,6 +353,7 @@ public void permissionTest() throws IllegalPathException { authorizerResp = client.queryPermission(authorizerReq); status = authorizerResp.getStatus(); assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode()); + privilege.remove(0); Assert.assertEquals( privilege, authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE)); @@ -385,7 +386,6 @@ public void permissionTest() throws IllegalPathException { authorizerResp = client.queryPermission(authorizerReq); status = authorizerResp.getStatus(); assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode()); - privilege.remove(0); assertEquals( 0, authorizerResp.getAuthorizerInfo().get(IoTDBConstant.COLUMN_PRIVILEGE).size()); diff --git a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/LocalFileAuthorizerTest.java b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/LocalFileAuthorizerTest.java index fc659a02db0a..83f39f48c128 100644 --- a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/LocalFileAuthorizerTest.java +++ b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/authorizer/LocalFileAuthorizerTest.java @@ -97,7 +97,7 @@ public void testUserPermission() throws AuthException { try { authorizer.grantPrivilegeToUser(user.getName(), nodeName, 1); } catch (AuthException e) { - assertEquals("User user already has INSERT_TIMESERIES on root.laptop.d1", e.getMessage()); + assertEquals("User user already has WRITE_DATA on root.laptop.d1", e.getMessage()); } try { authorizer.grantPrivilegeToUser("error", nodeName, 1); @@ -122,7 +122,7 @@ public void testUserPermission() throws AuthException { try { authorizer.revokePrivilegeFromUser(user.getName(), nodeName, 1); } catch (AuthException e) { - assertEquals("User user does not have INSERT_TIMESERIES on root.laptop.d1", e.getMessage()); + assertEquals("User user does not have WRITE_DATA on root.laptop.d1", e.getMessage()); } try { @@ -169,13 +169,13 @@ public void testRolePermission() throws AuthException { try { authorizer.grantPrivilegeToRole(roleName, nodeName, 1); } catch (AuthException e) { - assertEquals("Role role already has INSERT_TIMESERIES on root.laptop.d1", e.getMessage()); + assertEquals("Role role already has WRITE_DATA on root.laptop.d1", e.getMessage()); } authorizer.revokePrivilegeFromRole(roleName, nodeName, 1); try { authorizer.revokePrivilegeFromRole(roleName, nodeName, 1); } catch (AuthException e) { - assertEquals("Role role does not have INSERT_TIMESERIES on root.laptop.d1", e.getMessage()); + assertEquals("Role role does not have WRITE_DATA on root.laptop.d1", e.getMessage()); } authorizer.deleteRole(roleName); try { diff --git a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/PathPrivilegeTest.java b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/PathPrivilegeTest.java index 757f88da1838..3a8e6ea4b9f5 100644 --- a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/PathPrivilegeTest.java +++ b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/PathPrivilegeTest.java @@ -34,12 +34,12 @@ public void testPathPrivilege() throws IllegalPathException { PathPrivilege pathPrivilege = new PathPrivilege(); pathPrivilege.setPath(new PartialPath("root.ln")); pathPrivilege.setPrivileges(Collections.singleton(1)); - Assert.assertEquals("root.ln : INSERT_TIMESERIES", pathPrivilege.toString()); + Assert.assertEquals("root.ln : WRITE_DATA", pathPrivilege.toString()); PathPrivilege pathPrivilege1 = new PathPrivilege(); pathPrivilege1.setPath(new PartialPath("root.sg")); pathPrivilege1.setPrivileges(Collections.singleton(1)); Assert.assertNotEquals(pathPrivilege, pathPrivilege1); pathPrivilege.deserialize(pathPrivilege1.serialize()); - Assert.assertEquals("root.sg : INSERT_TIMESERIES", pathPrivilege.toString()); + Assert.assertEquals("root.sg : WRITE_DATA", pathPrivilege.toString()); } } diff --git a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/RoleTest.java b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/RoleTest.java index 724b6097dee8..e32d119df687 100644 --- a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/RoleTest.java +++ b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/RoleTest.java @@ -36,11 +36,10 @@ public void testRole() throws IllegalPathException { PathPrivilege pathPrivilege = new PathPrivilege(new PartialPath("root.ln")); role.setPrivilegeList(Collections.singletonList(pathPrivilege)); role.setPrivileges(new PartialPath("root.ln"), Collections.singleton(1)); - Assert.assertEquals( - "Role{name='role', privilegeList=[root.ln : INSERT_TIMESERIES]}", role.toString()); + Assert.assertEquals("Role{name='role', privilegeList=[root.ln : WRITE_DATA]}", role.toString()); Role role1 = new Role("role1"); role1.deserialize(role.serialize()); Assert.assertEquals( - "Role{name='role', privilegeList=[root.ln : INSERT_TIMESERIES]}", role1.toString()); + "Role{name='role', privilegeList=[root.ln : WRITE_DATA]}", role1.toString()); } } diff --git a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/UserTest.java b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/UserTest.java index 467e1777e1cc..5efb5c6ec1f7 100644 --- a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/UserTest.java +++ b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/UserTest.java @@ -37,12 +37,12 @@ public void testUser() throws IllegalPathException { user.setPrivilegeList(Collections.singletonList(pathPrivilege)); user.setPrivileges(new PartialPath("root.ln"), Collections.singleton(1)); Assert.assertEquals( - "User{name='user', password='password', privilegeList=[root.ln : INSERT_TIMESERIES], roleList=[], isOpenIdUser=false, useWaterMark=false, lastActiveTime=0}", + "User{name='user', password='password', privilegeList=[root.ln : WRITE_DATA], roleList=[], isOpenIdUser=false, useWaterMark=false, lastActiveTime=0}", user.toString()); User user1 = new User("user1", "password1"); user1.deserialize(user.serialize()); Assert.assertEquals( - "User{name='user', password='password', privilegeList=[root.ln : INSERT_TIMESERIES], roleList=[], isOpenIdUser=false, useWaterMark=false, lastActiveTime=0}", + "User{name='user', password='password', privilegeList=[root.ln : WRITE_DATA], roleList=[], isOpenIdUser=false, useWaterMark=false, lastActiveTime=0}", user1.toString()); } } From 5f263462ac31fdf589247a542a1e1cd8f204f8a5 Mon Sep 17 00:00:00 2001 From: spricoder Date: Fri, 7 Jul 2023 19:32:30 +0800 Subject: [PATCH 04/10] Fix test and code smell --- .../apache/iotdb/confignode/persistence/AuthorInfoTest.java | 6 ++---- .../test/java/org/apache/iotdb/db/auth/entity/UserTest.java | 6 ++++-- .../main/java/org/apache/iotdb/commons/utils/AuthUtils.java | 6 ++++-- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java b/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java index 699969f8ff10..476ad57e8520 100644 --- a/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java +++ b/iotdb-core/confignode/src/test/java/org/apache/iotdb/confignode/persistence/AuthorInfoTest.java @@ -94,10 +94,8 @@ public void permissionTest() throws TException, AuthException, IllegalPathExcept Set revokePrivilege = new HashSet<>(); revokePrivilege.add(PrivilegeType.USER_PRIVILEGE.ordinal()); - Map> permissionInfo; List privilege = new ArrayList<>(); - privilege.add("root.** : CREATE_USER"); - privilege.add("root.** : CREATE_USER"); + privilege.add("root.** : USER_PRIVILEGE"); List paths = new ArrayList<>(); paths.add(new PartialPath("root.ln")); @@ -284,6 +282,7 @@ public void permissionTest() throws TException, AuthException, IllegalPathExcept permissionInfoResp = authorInfo.executeListUserPrivileges(authorPlan); status = permissionInfoResp.getStatus(); Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode()); + privilege.remove(0); Assert.assertEquals( privilege, permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE)); @@ -316,7 +315,6 @@ public void permissionTest() throws TException, AuthException, IllegalPathExcept permissionInfoResp = authorInfo.executeListRolePrivileges(authorPlan); status = permissionInfoResp.getStatus(); Assert.assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode()); - privilege.remove(0); Assert.assertEquals( 0, permissionInfoResp.getPermissionInfo().get(IoTDBConstant.COLUMN_PRIVILEGE).size()); diff --git a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/UserTest.java b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/UserTest.java index 5efb5c6ec1f7..c14ce60174aa 100644 --- a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/UserTest.java +++ b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/entity/UserTest.java @@ -37,12 +37,14 @@ public void testUser() throws IllegalPathException { user.setPrivilegeList(Collections.singletonList(pathPrivilege)); user.setPrivileges(new PartialPath("root.ln"), Collections.singleton(1)); Assert.assertEquals( - "User{name='user', password='password', privilegeList=[root.ln : WRITE_DATA], roleList=[], isOpenIdUser=false, useWaterMark=false, lastActiveTime=0}", + "User{name='user', password='password', privilegeList=[root.ln : WRITE_DATA], roleList=[], " + + "isOpenIdUser=false, useWaterMark=false, lastActiveTime=0}", user.toString()); User user1 = new User("user1", "password1"); user1.deserialize(user.serialize()); Assert.assertEquals( - "User{name='user', password='password', privilegeList=[root.ln : WRITE_DATA], roleList=[], isOpenIdUser=false, useWaterMark=false, lastActiveTime=0}", + "User{name='user', password='password', privilegeList=[root.ln : WRITE_DATA], roleList=[], " + + "isOpenIdUser=false, useWaterMark=false, lastActiveTime=0}", user1.toString()); } } diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java index 8c3ed6f2c030..f63644dc4a8d 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java @@ -55,7 +55,7 @@ public class AuthUtils { private static final int MIN_ROLENAME_LENGTH = 4; private static final int MIN_LENGTH = 4; private static final int MAX_LENGTH = 32; - private static final String REX_PATTERN = "^[a-zA-Z][_0-9a-zA-Z]*$"; + private static final String REX_PATTERN = "^[a-zA-Z]\\w*$"; static { try { @@ -138,6 +138,7 @@ public static void validateRolename(String rolename) throws AuthException { } public static void validateNameOrPassword(String str) throws AuthException { + // TODO @Spricoder int length = str.length(); if (length < MIN_LENGTH) { throw new AuthException( @@ -150,7 +151,8 @@ public static void validateNameOrPassword(String str) throws AuthException { } else if (str.matches(REX_PATTERN)) { throw new AuthException( TSStatusCode.ILLEGAL_PARAMETER, - "The name or password must start with a letter and can only contain letters, numbers, and underscores"); + "The name or password must start with a letter and can only contain letters, numbers," + + " and underscores"); } } From 507202aa47e1169c8e498c6b78aff010c784b2b4 Mon Sep 17 00:00:00 2001 From: spricoder Date: Mon, 10 Jul 2023 11:03:36 +0800 Subject: [PATCH 05/10] Add validate --- .../apache/iotdb/commons/utils/AuthUtils.java | 34 ++++--------------- 1 file changed, 6 insertions(+), 28 deletions(-) diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java index f63644dc4a8d..3bfee0594d90 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java @@ -50,9 +50,6 @@ public class AuthUtils { private static final Logger logger = LoggerFactory.getLogger(AuthUtils.class); private static final String ROOT_PREFIX = IoTDBConstant.PATH_ROOT; public static PartialPath ROOT_PATH_PRIVILEGE_PATH; - private static final int MIN_PASSWORD_LENGTH = 4; - private static final int MIN_USERNAME_LENGTH = 4; - private static final int MIN_ROLENAME_LENGTH = 4; private static final int MIN_LENGTH = 4; private static final int MAX_LENGTH = 32; private static final String REX_PATTERN = "^[a-zA-Z]\\w*$"; @@ -80,14 +77,7 @@ private AuthUtils() { * @throws AuthException contains message why password is invalid */ public static void validatePassword(String password) throws AuthException { - if (password.length() < MIN_PASSWORD_LENGTH) { - throw new AuthException( - TSStatusCode.ILLEGAL_PARAMETER, - "Password's size must be greater than or equal to " + MIN_PASSWORD_LENGTH); - } - if (password.contains(" ")) { - throw new AuthException(TSStatusCode.ILLEGAL_PARAMETER, "Password cannot contain spaces"); - } + validateNameOrPassword(password); } /** @@ -110,14 +100,7 @@ public static boolean validatePassword(String originPassword, String encryptPass * @throws AuthException contains message why username is invalid */ public static void validateUsername(String username) throws AuthException { - if (username.length() < MIN_USERNAME_LENGTH) { - throw new AuthException( - TSStatusCode.ILLEGAL_PARAMETER, - "Username's size must be greater than or equal to " + MIN_USERNAME_LENGTH); - } - if (username.contains(" ")) { - throw new AuthException(TSStatusCode.ILLEGAL_PARAMETER, "Username cannot contain spaces"); - } + validateNameOrPassword(username); } /** @@ -127,18 +110,10 @@ public static void validateUsername(String username) throws AuthException { * @throws AuthException contains message why rolename is invalid */ public static void validateRolename(String rolename) throws AuthException { - if (rolename.length() < MIN_ROLENAME_LENGTH) { - throw new AuthException( - TSStatusCode.ILLEGAL_PARAMETER, - "Role name's size must be greater than or equal to " + MIN_ROLENAME_LENGTH); - } - if (rolename.contains(" ")) { - throw new AuthException(TSStatusCode.ILLEGAL_PARAMETER, "Role name cannot contain spaces"); - } + validateNameOrPassword(rolename); } public static void validateNameOrPassword(String str) throws AuthException { - // TODO @Spricoder int length = str.length(); if (length < MIN_LENGTH) { throw new AuthException( @@ -148,6 +123,9 @@ public static void validateNameOrPassword(String str) throws AuthException { throw new AuthException( TSStatusCode.ILLEGAL_PARAMETER, "The length of name or password must be less than or equal to " + MAX_LENGTH); + } else if (str.contains(" ")) { + throw new AuthException( + TSStatusCode.ILLEGAL_PARAMETER, "The name or password cannot contain spaces"); } else if (str.matches(REX_PATTERN)) { throw new AuthException( TSStatusCode.ILLEGAL_PARAMETER, From a5e93d855013ea3d4a392dc1276a4ef2f8d19ef1 Mon Sep 17 00:00:00 2001 From: spricoder Date: Mon, 10 Jul 2023 11:56:16 +0800 Subject: [PATCH 06/10] Fix first init --- .../iotdb/db/auth/user/LocalFileUserManagerTest.java | 12 ++++++------ .../security/encrypt/MessageDigestEncryptTest.java | 2 +- .../commons/auth/authorizer/BasicAuthorizer.java | 2 +- .../iotdb/commons/auth/user/BasicUserManager.java | 12 ++++++++---- .../apache/iotdb/commons/auth/user/IUserManager.java | 3 ++- 5 files changed, 18 insertions(+), 13 deletions(-) diff --git a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/user/LocalFileUserManagerTest.java b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/user/LocalFileUserManagerTest.java index a4ebb2015399..a1ce4909901d 100644 --- a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/user/LocalFileUserManagerTest.java +++ b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/auth/user/LocalFileUserManagerTest.java @@ -65,13 +65,13 @@ public void tearDown() throws Exception { public void testIllegalInput() throws AuthException { // Password contains space try { - manager.createUser("username1", "password_ "); + manager.createUser("username1", "password_ ", false); } catch (AuthException e) { assertTrue(e.getMessage().contains("cannot contain spaces")); } // Username contains space try { - assertFalse(manager.createUser("username 2", "password_")); + assertFalse(manager.createUser("username 2", "password_", false)); } catch (AuthException e) { assertTrue(e.getMessage().contains("cannot contain spaces")); } @@ -94,7 +94,7 @@ public void test() throws AuthException, IllegalPathException { User user = manager.getUser(users[0].getName()); assertNull(user); for (User user1 : users) { - assertTrue(manager.createUser(user1.getName(), user1.getPassword())); + assertTrue(manager.createUser(user1.getName(), user1.getPassword(), false)); } for (User user1 : users) { user = manager.getUser(user1.getName()); @@ -102,17 +102,17 @@ public void test() throws AuthException, IllegalPathException { assertTrue(AuthUtils.validatePassword(user1.getPassword(), user.getPassword())); } - assertFalse(manager.createUser(users[0].getName(), users[0].getPassword())); + assertFalse(manager.createUser(users[0].getName(), users[0].getPassword(), false)); boolean caught = false; try { - manager.createUser("too", "short"); + manager.createUser("too", "short", false); } catch (AuthException e) { caught = true; } assertTrue(caught); caught = false; try { - manager.createUser("short", "too"); + manager.createUser("short", "too", false); } catch (AuthException e) { caught = true; } diff --git a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/security/encrypt/MessageDigestEncryptTest.java b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/security/encrypt/MessageDigestEncryptTest.java index 146947c09485..9ad6d671204c 100644 --- a/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/security/encrypt/MessageDigestEncryptTest.java +++ b/iotdb-core/datanode/src/test/java/org/apache/iotdb/db/security/encrypt/MessageDigestEncryptTest.java @@ -80,7 +80,7 @@ public void testMessageDigestEncrypt() throws AuthException, IllegalPathExceptio User user = manager.getUser(users[0].getName()); assertNull(user); for (User user1 : users) { - assertTrue(manager.createUser(user1.getName(), user1.getPassword())); + assertTrue(manager.createUser(user1.getName(), user1.getPassword(), false)); } for (User user1 : users) { user = manager.getUser(user1.getName()); diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java index 7c1c891bb927..93c0237e49bf 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/authorizer/BasicAuthorizer.java @@ -119,7 +119,7 @@ public boolean login(String username, String password) throws AuthException { @Override public void createUser(String username, String password) throws AuthException { - if (!userManager.createUser(username, password)) { + if (!userManager.createUser(username, password, false)) { throw new AuthException( TSStatusCode.USER_ALREADY_EXIST, String.format("User %s already exists", username)); } diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java index 4b872db74ed4..f9a4485f068d 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/BasicUserManager.java @@ -82,7 +82,8 @@ private void initAdmin() throws AuthException { if (admin == null) { createUser( CommonDescriptor.getInstance().getConfig().getAdminName(), - CommonDescriptor.getInstance().getConfig().getAdminPassword()); + CommonDescriptor.getInstance().getConfig().getAdminPassword(), + true); setUserUseWaterMark(CommonDescriptor.getInstance().getConfig().getAdminName(), false); } logger.info("Admin initialized"); @@ -111,9 +112,12 @@ public User getUser(String username) throws AuthException { } @Override - public boolean createUser(String username, String password) throws AuthException { - AuthUtils.validateUsername(username); - AuthUtils.validatePassword(password); + public boolean createUser(String username, String password, boolean firstInit) + throws AuthException { + if (!firstInit) { + AuthUtils.validateUsername(username); + AuthUtils.validatePassword(password); + } User user = getUser(username); if (user != null) { diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/IUserManager.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/IUserManager.java index f403db6195e3..501ec2be4a75 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/IUserManager.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/auth/user/IUserManager.java @@ -43,10 +43,11 @@ public interface IUserManager extends SnapshotProcessor { * * @param username is not null or empty * @param password is not null or empty + * @param firstInit is first init admin * @return True if the user is successfully created, false when the user already exists. * @throws AuthException if the given username or password is illegal. */ - boolean createUser(String username, String password) throws AuthException; + boolean createUser(String username, String password, boolean firstInit) throws AuthException; /** * Delete a user. From f38a47d0f5979cadc7fa2bcaa6405c97884bfe7b Mon Sep 17 00:00:00 2001 From: spricoder Date: Mon, 10 Jul 2023 16:14:58 +0800 Subject: [PATCH 07/10] Fix logic --- .../src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java index 3bfee0594d90..e500f0ed2b93 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java @@ -126,7 +126,7 @@ public static void validateNameOrPassword(String str) throws AuthException { } else if (str.contains(" ")) { throw new AuthException( TSStatusCode.ILLEGAL_PARAMETER, "The name or password cannot contain spaces"); - } else if (str.matches(REX_PATTERN)) { + } else if (!str.matches(REX_PATTERN)) { throw new AuthException( TSStatusCode.ILLEGAL_PARAMETER, "The name or password must start with a letter and can only contain letters, numbers," From 9d75590b2e9b6ce5191f1425bd539a423b35b030 Mon Sep 17 00:00:00 2001 From: spricoder Date: Mon, 10 Jul 2023 18:31:47 +0800 Subject: [PATCH 08/10] Fix Test --- .../org/apache/iotdb/db/it/IoTDBAuthIT.java | 4 +- .../it/IoTDBSyntaxConventionIdentifierIT.java | 52 ++----------------- .../apache/iotdb/commons/utils/AuthUtils.java | 8 +-- 3 files changed, 10 insertions(+), 54 deletions(-) diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBAuthIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBAuthIT.java index ae44cbf272f0..02f89882df11 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBAuthIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBAuthIT.java @@ -618,10 +618,10 @@ public void testListRoleUsers() throws SQLException { }; for (int i = 0; i < members.length - 1; i++) { - adminStmt.execute("CREATE USER " + members[i] + " '666666'"); + adminStmt.execute("CREATE USER " + members[i] + " 'a666666'"); adminStmt.execute("GRANT dalao TO " + members[i]); } - adminStmt.execute("CREATE USER RiverSky '2333333'"); + adminStmt.execute("CREATE USER RiverSky 'a2333333'"); adminStmt.execute("GRANT zhazha TO RiverSky"); ResultSet resultSet = adminStmt.executeQuery("LIST USER OF ROLE dalao"); diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBSyntaxConventionIdentifierIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBSyntaxConventionIdentifierIT.java index c59f40d7a212..2dac13668aa8 100644 --- a/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBSyntaxConventionIdentifierIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/db/it/IoTDBSyntaxConventionIdentifierIT.java @@ -591,32 +591,10 @@ public void testUDFName() { public void testUserName() { try (Connection connection = EnvFactory.getEnv().getConnection(); Statement statement = connection.createStatement()) { - String[] userNames = - new String[] { - "userid", - "userid0", - "user_id", - "user0id", - "`22233`", - "`userab!`", - "`user'ab'`", - "`usera.b`", - "`usera``b`" - }; + String[] userNames = new String[] {"userid", "userid0", "user_id", "user0id", "`a22233`"}; String[] resultNames = - new String[] { - "root", - "userid", - "userid0", - "user_id", - "user0id", - "22233", - "userab!", - "user'ab'", - "usera.b", - "usera`b" - }; + new String[] {"root", "userid", "userid0", "user_id", "user0id", "a22233"}; String createUsersSql = "create user %s 'pwd123' "; for (String userName : userNames) { @@ -678,31 +656,9 @@ public void testUserName() { public void testRoleName() { try (Connection connection = EnvFactory.getEnv().getConnection(); Statement statement = connection.createStatement()) { - String[] roleNames = - new String[] { - "roleid", - "roleid0", - "role_id", - "role0id", - "`22233`", - "`roleab!`", - "`role'ab'`", - "`rolea.b`", - "`rolea``b`" - }; + String[] roleNames = new String[] {"roleid", "roleid0", "role_id", "role0id", "`a22233`"}; - String[] resultNames = - new String[] { - "roleid", - "roleid0", - "role_id", - "role0id", - "22233", - "roleab!", - "role'ab'", - "rolea.b", - "rolea`b" - }; + String[] resultNames = new String[] {"roleid", "roleid0", "role_id", "role0id", "a22233"}; String createRolesSql = "create role %s"; for (String roleName : roleNames) { statement.execute(String.format(createRolesSql, roleName)); diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java index e500f0ed2b93..1acd6e6d698f 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java @@ -51,8 +51,8 @@ public class AuthUtils { private static final String ROOT_PREFIX = IoTDBConstant.PATH_ROOT; public static PartialPath ROOT_PATH_PRIVILEGE_PATH; private static final int MIN_LENGTH = 4; - private static final int MAX_LENGTH = 32; - private static final String REX_PATTERN = "^[a-zA-Z]\\w*$"; + private static final int MAX_LENGTH = 64; + private static final String REX_PATTERN = "^[a-zA-Z][-\\w]*$"; static { try { @@ -129,8 +129,8 @@ public static void validateNameOrPassword(String str) throws AuthException { } else if (!str.matches(REX_PATTERN)) { throw new AuthException( TSStatusCode.ILLEGAL_PARAMETER, - "The name or password must start with a letter and can only contain letters, numbers," - + " and underscores"); + "The name or password can only contain letters, numbers, and underscores, " + + "and cannot start with numbers"); } } From 1a784108a278ca2545e288eebca06abbe9dc74db Mon Sep 17 00:00:00 2001 From: spricoder Date: Tue, 11 Jul 2023 12:41:29 +0800 Subject: [PATCH 09/10] Fix regex --- .../src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java index 1acd6e6d698f..33edc023a6fa 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java @@ -52,7 +52,7 @@ public class AuthUtils { public static PartialPath ROOT_PATH_PRIVILEGE_PATH; private static final int MIN_LENGTH = 4; private static final int MAX_LENGTH = 64; - private static final String REX_PATTERN = "^[a-zA-Z][-\\w]*$"; + private static final String REX_PATTERN = "^[-\\w]*$"; static { try { From c390e6fa941950233ea6346d21cc6abebfed6520 Mon Sep 17 00:00:00 2001 From: spricoder Date: Tue, 11 Jul 2023 12:42:06 +0800 Subject: [PATCH 10/10] Fix prompt --- .../main/java/org/apache/iotdb/commons/utils/AuthUtils.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java index 33edc023a6fa..1578fdc5fa8f 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/utils/AuthUtils.java @@ -129,8 +129,7 @@ public static void validateNameOrPassword(String str) throws AuthException { } else if (!str.matches(REX_PATTERN)) { throw new AuthException( TSStatusCode.ILLEGAL_PARAMETER, - "The name or password can only contain letters, numbers, and underscores, " - + "and cannot start with numbers"); + "The name or password can only contain letters, numbers, and underscores"); } }