Fix AutoCreateSchema using template without WRITE_SCHEMA

integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java

@@ -1168,4 +1168,26 @@ public void testQueryTemplate() throws SQLException {
       Assert.assertTrue(standards.isEmpty());
     }
   }
+
+  @Test
+  public void insertWithTemplateTest() throws SQLException {
+    try (Connection adminCon = EnvFactory.getEnv().getConnection();
+        Statement adminStmt = adminCon.createStatement()) {
+      adminStmt.execute("CREATE USER tempuser 'temppw'");
+
+      try (Connection userCon = EnvFactory.getEnv().getConnection("tempuser", "temppw");
+          Statement userStmt = userCon.createStatement()) {
+
+        adminStmt.execute("CREATE DATABASE root.a");
+        adminStmt.execute("create schema template t1 aligned (s_name TEXT)");
+        adminStmt.execute("GRANT WRITE_DATA ON root.a.** TO USER tempuser");
+        adminStmt.execute("set schema template t1 to root.a");
+
+        // grant privilege to insert
+        Assert.assertThrows(
+            SQLException.class,
+            () -> userStmt.execute("INSERT INTO root.a.d1(timestamp, s_name) VALUES (1,'IoTDB')"));
+      }
+    }
+  }
 }

integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBTemplatePermissionIT.java

@@ -72,11 +72,6 @@ public void adminOperationsTest() {
         "803: Only the admin user can perform this operation",
         "test",
         "test123");
-    assertNonQueryTestFail(
-        "alter device template t1 add (speed FLOAT encoding=RLE, FLOAT TEXT encoding=PLAIN compression=SNAPPY)",
-        "803: Only the admin user can perform this operation",
-        "test",
-        "test123");
     assertNonQueryTestFail(
         "show device templates",
         "803: Only the admin user can perform this operation",

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/analyze/schema/AutoCreateSchemaExecutor.java

@@ -20,12 +20,10 @@
 package org.apache.iotdb.db.queryengine.plan.analyze.schema;
 
 import org.apache.iotdb.common.rpc.thrift.TSStatus;
-import org.apache.iotdb.commons.auth.entity.PrivilegeType;
 import org.apache.iotdb.commons.exception.IoTDBException;
 import org.apache.iotdb.commons.exception.MetadataException;
 import org.apache.iotdb.commons.path.MeasurementPath;
 import org.apache.iotdb.commons.path.PartialPath;
-import org.apache.iotdb.commons.service.metric.PerformanceOverviewMetrics;
 import org.apache.iotdb.db.auth.AuthorityChecker;
 import org.apache.iotdb.db.conf.IoTDBConfig;
 import org.apache.iotdb.db.conf.IoTDBDescriptor;
@@ -82,6 +80,7 @@ class AutoCreateSchemaExecutor {
   }
 
   private ExecutionResult executeStatement(Statement statement, MPPQueryContext context) {
+
     return coordinator.execute(
         statement,
         SessionManager.getInstance().requestQueryId(),
@@ -195,44 +194,12 @@ void autoExtendTemplate(
       List<String> measurementList,
       List<TSDataType> dataTypeList,
       MPPQueryContext context) {
-    long startTime = System.nanoTime();
-    try {
-      String userName = context.getSession().getUserName();
-      if (!AuthorityChecker.SUPER_USER.equals(userName)) {
-        TSStatus status =
-            AuthorityChecker.getTSStatus(
-                AuthorityChecker.checkSystemPermission(
-                    userName, PrivilegeType.EXTEND_TEMPLATE.ordinal()),
-                PrivilegeType.EXTEND_TEMPLATE);
-        if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
-          throw new RuntimeException(new IoTDBException(status.getMessage(), status.getCode()));
-        }
-      }
-    } finally {
-      PerformanceOverviewMetrics.getInstance().recordAuthCost(System.nanoTime() - startTime);
-    }
     internalExtendTemplate(templateName, measurementList, dataTypeList, null, null, context);
   }
 
   // Used for insert records or tablets
   void autoExtendTemplate(
       Map<String, TemplateExtendInfo> templateExtendInfoMap, MPPQueryContext context) {
-    long startTime = System.nanoTime();
-    try {
-      String userName = context.getSession().getUserName();
-      if (!AuthorityChecker.SUPER_USER.equals(userName)) {
-        TSStatus status =
-            AuthorityChecker.getTSStatus(
-                AuthorityChecker.checkSystemPermission(
-                    userName, PrivilegeType.EXTEND_TEMPLATE.ordinal()),
-                PrivilegeType.EXTEND_TEMPLATE);
-        if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
-          throw new RuntimeException(new IoTDBException(status.getMessage(), status.getCode()));
-        }
-      }
-    } finally {
-      PerformanceOverviewMetrics.getInstance().recordAuthCost(System.nanoTime() - startTime);
-    }
     TemplateExtendInfo templateExtendInfo;
     for (Map.Entry<String, TemplateExtendInfo> entry : templateExtendInfoMap.entrySet()) {
       templateExtendInfo = entry.getValue().deduplicate();
@@ -535,9 +502,14 @@ private List<MeasurementPath> executeInternalCreateTimeseriesStatement(
   }
 
   private void internalActivateTemplate(PartialPath devicePath, MPPQueryContext context) {
-    ExecutionResult executionResult =
-        executeStatement(new ActivateTemplateStatement(devicePath), context);
-    TSStatus status = executionResult.status;
+    ActivateTemplateStatement statement = new ActivateTemplateStatement(devicePath);
+    TSStatus status =
+        AuthorityChecker.checkAuthority(statement, context.getSession().getUserName());
+    if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
+      throw new RuntimeException(new IoTDBException(status.getMessage(), status.getCode()));
+    }
+    ExecutionResult executionResult = executeStatement(statement, context);
+    status = executionResult.status;
     if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()
         && status.getCode() != TSStatusCode.TEMPLATE_IS_IN_USE.getStatusCode()) {
       throw new SemanticException(new IoTDBException(status.getMessage(), status.getCode()));
@@ -547,10 +519,15 @@ private void internalActivateTemplate(PartialPath devicePath, MPPQueryContext co
   private void internalActivateTemplate(
       Map<PartialPath, Pair<Template, PartialPath>> devicesNeedActivateTemplate,
       MPPQueryContext context) {
-    ExecutionResult executionResult =
-        executeStatement(
-            new InternalBatchActivateTemplateStatement(devicesNeedActivateTemplate), context);
-    TSStatus status = executionResult.status;
+    InternalBatchActivateTemplateStatement statement =
+        new InternalBatchActivateTemplateStatement(devicesNeedActivateTemplate);
+    TSStatus status =
+        AuthorityChecker.checkAuthority(statement, context.getSession().getUserName());
+    if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
+      throw new RuntimeException(new IoTDBException(status.getMessage(), status.getCode()));
+    }
+    ExecutionResult executionResult = executeStatement(statement, context);
+    status = executionResult.status;
     if (status.getCode() == TSStatusCode.SUCCESS_STATUS.getStatusCode()
         || status.getCode() == TSStatusCode.TEMPLATE_IS_IN_USE.getStatusCode()) {
       return;
@@ -621,17 +598,22 @@ private void internalExtendTemplate(
       List<CompressionType> compressionTypeList,
       MPPQueryContext context) {
 
-    ExecutionResult executionResult =
-        executeStatement(
-            new AlterSchemaTemplateStatement(
-                templateName,
-                measurementList,
-                dataTypeList,
-                encodingList,
-                compressionTypeList,
-                TemplateAlterOperationType.EXTEND_TEMPLATE),
-            context);
-    TSStatus status = executionResult.status;
+    AlterSchemaTemplateStatement statement =
+        new AlterSchemaTemplateStatement(
+            templateName,
+            measurementList,
+            dataTypeList,
+            encodingList,
+            compressionTypeList,
+            TemplateAlterOperationType.EXTEND_TEMPLATE);
+    TSStatus status =
+        AuthorityChecker.checkAuthority(statement, context.getSession().getUserName());
+    if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
+      throw new RuntimeException(new IoTDBException(status.getMessage(), status.getCode()));
+    }
+
+    ExecutionResult executionResult = executeStatement(statement, context);
+    status = executionResult.status;
     if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()
         && status.getCode()
             != TSStatusCode.MEASUREMENT_ALREADY_EXISTS_IN_TEMPLATE.getStatusCode()) {

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/internal/InternalBatchActivateTemplateStatement.java

@@ -19,16 +19,22 @@
 
 package org.apache.iotdb.db.queryengine.plan.statement.internal;
 
+import org.apache.iotdb.common.rpc.thrift.TSStatus;
+import org.apache.iotdb.commons.auth.entity.PrivilegeType;
 import org.apache.iotdb.commons.path.PartialPath;
+import org.apache.iotdb.db.auth.AuthorityChecker;
 import org.apache.iotdb.db.queryengine.plan.statement.Statement;
 import org.apache.iotdb.db.queryengine.plan.statement.StatementType;
 import org.apache.iotdb.db.queryengine.plan.statement.StatementVisitor;
+import org.apache.iotdb.db.schemaengine.template.ClusterTemplateManager;
 import org.apache.iotdb.db.schemaengine.template.Template;
+import org.apache.iotdb.rpc.TSStatusCode;
 import org.apache.iotdb.tsfile.utils.Pair;
 
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
+import java.util.stream.Collectors;
 
 // This is only used for auto activate template on multi devices while inserting data
 public class InternalBatchActivateTemplateStatement extends Statement {
@@ -49,7 +55,32 @@ public Map<PartialPath, Pair<Template, PartialPath>> getDeviceMap() {
 
   @Override
   public List<PartialPath> getPaths() {
-    return new ArrayList<>(deviceMap.keySet());
+    ClusterTemplateManager clusterTemplateManager = ClusterTemplateManager.getInstance();
+    List<String> templatePaths = new ArrayList<>();
+    for (PartialPath path : deviceMap.keySet()) {
+      Pair<Template, PartialPath> templateSetInfo =
+          clusterTemplateManager.checkTemplateSetInfo(path);
+      if (templateSetInfo == null) {
+        continue;
+      }
+      templatePaths.addAll(templateSetInfo.left.getSchemaMap().keySet());
+    }
+    return deviceMap.keySet().stream()
+        .flatMap(path -> templatePaths.stream().map(path::concatNode))
+        .collect(Collectors.toList());
+  }
+
+  @Override
+  public TSStatus checkPermissionBeforeProcess(String userName) {
+    if (AuthorityChecker.SUPER_USER.equals(userName)) {
+      return new TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
+    }
+    List<PartialPath> checkedPaths = getPaths();
+    return AuthorityChecker.getTSStatus(
+        AuthorityChecker.checkPatternPermission(
+            userName, checkedPaths, PrivilegeType.WRITE_SCHEMA.ordinal()),
+        checkedPaths,
+        PrivilegeType.WRITE_SCHEMA);
   }
 
   @Override

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/template/AlterSchemaTemplateStatement.java

@@ -19,7 +19,10 @@
 
 package org.apache.iotdb.db.queryengine.plan.statement.metadata.template;
 
+import org.apache.iotdb.common.rpc.thrift.TSStatus;
+import org.apache.iotdb.commons.auth.entity.PrivilegeType;
 import org.apache.iotdb.commons.path.PartialPath;
+import org.apache.iotdb.db.auth.AuthorityChecker;
 import org.apache.iotdb.db.queryengine.plan.analyze.QueryType;
 import org.apache.iotdb.db.queryengine.plan.statement.IConfigStatement;
 import org.apache.iotdb.db.queryengine.plan.statement.Statement;
@@ -28,13 +31,16 @@
 import org.apache.iotdb.db.schemaengine.template.TemplateAlterOperationType;
 import org.apache.iotdb.db.schemaengine.template.alter.TemplateAlterInfo;
 import org.apache.iotdb.db.schemaengine.template.alter.TemplateExtendInfo;
+import org.apache.iotdb.rpc.TSStatusCode;
 import org.apache.iotdb.tsfile.file.metadata.enums.CompressionType;
 import org.apache.iotdb.tsfile.file.metadata.enums.TSDataType;
 import org.apache.iotdb.tsfile.file.metadata.enums.TSEncoding;
 
 import java.util.Collections;
 import java.util.List;
 
+import static org.apache.iotdb.db.schemaengine.template.TemplateAlterOperationType.EXTEND_TEMPLATE;
+
 public class AlterSchemaTemplateStatement extends Statement implements IConfigStatement {
 
   private TemplateAlterInfo templateAlterInfo;
@@ -54,7 +60,7 @@ public AlterSchemaTemplateStatement(
       List<CompressionType> compressors,
       TemplateAlterOperationType operationType) {
     this();
-    if (operationType.equals(TemplateAlterOperationType.EXTEND_TEMPLATE)) {
+    if (operationType.equals(EXTEND_TEMPLATE)) {
       this.templateAlterInfo =
           new TemplateExtendInfo(templateName, measurements, dataTypes, encodings, compressors);
     }
@@ -79,6 +85,21 @@ public List<PartialPath> getPaths() {
     return Collections.emptyList();
   }
 
+  @Override
+  public TSStatus checkPermissionBeforeProcess(String userName) {
+    if (AuthorityChecker.SUPER_USER.equals(userName)) {
+      return new TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
+    }
+    if (operationType == EXTEND_TEMPLATE) {
+      return AuthorityChecker.getTSStatus(
+          AuthorityChecker.checkSystemPermission(userName, PrivilegeType.EXTEND_TEMPLATE.ordinal()),
+          PrivilegeType.EXTEND_TEMPLATE);
+    } else {
+      return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
+          .setMessage("Only the admin user can perform this operation");
+    }
+  }
+
   @Override
   public <R, C> R accept(StatementVisitor<R, C> visitor, C context) {
     return visitor.visitAlterSchemaTemplate(this, context);