Only root can alter template

integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java

@@ -1180,13 +1180,26 @@ public void insertWithTemplateTest() throws SQLException {
 
         adminStmt.execute("CREATE DATABASE root.a");
         adminStmt.execute("create schema template t1 aligned (s_name TEXT)");
+        adminStmt.execute("GRANT EXTEND_TEMPLATE ON root.** TO USER tempuser");
         adminStmt.execute("GRANT WRITE_DATA ON root.a.** TO USER tempuser");
         adminStmt.execute("set schema template t1 to root.a");
 
         // grant privilege to insert
         Assert.assertThrows(
             SQLException.class,
-            () -> userStmt.execute("INSERT INTO root.a.d1(timestamp, s_name) VALUES (1,'IoTDB')"));
+            () ->
+                userStmt.execute(
+                    "INSERT INTO root.a.d1(timestamp, s_name, s_value) VALUES (1,'IoTDB', 2)"));
+
+        adminStmt.execute("GRANT WRITE_SCHEMA ON root.a.d1.** TO USER tempuser");
+        userStmt.execute("INSERT INTO root.a.d1(timestamp, s_name, s_value) VALUES (1,'IoTDB', 2)");
+        adminStmt.execute("REVOKE EXTEND_TEMPLATE ON root.** FROM USER tempuser");
+
+        Assert.assertThrows(
+            SQLException.class,
+            () ->
+                userStmt.execute(
+                    "INSERT INTO root.a.d1(timestamp, s_name, s_value, s_value_2) VALUES (1,'IoTDB', 2, 2)"));
       }
     }
   }

integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBTemplatePermissionIT.java

@@ -72,6 +72,11 @@ public void adminOperationsTest() {
         "803: Only the admin user can perform this operation",
         "test",
         "test123");
+    assertNonQueryTestFail(
+        "alter device template t1 add (speed FLOAT encoding=RLE, FLOAT TEXT encoding=PLAIN compression=SNAPPY)",
+        "803: Only the admin user can perform this operation",
+        "test",
+        "test123");
     assertNonQueryTestFail(
         "show device templates",
         "803: Only the admin user can perform this operation",

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/analyze/schema/AutoCreateSchemaExecutor.java

@@ -20,10 +20,12 @@
 package org.apache.iotdb.db.queryengine.plan.analyze.schema;
 
 import org.apache.iotdb.common.rpc.thrift.TSStatus;
+import org.apache.iotdb.commons.auth.entity.PrivilegeType;
 import org.apache.iotdb.commons.exception.IoTDBException;
 import org.apache.iotdb.commons.exception.MetadataException;
 import org.apache.iotdb.commons.path.MeasurementPath;
 import org.apache.iotdb.commons.path.PartialPath;
+import org.apache.iotdb.commons.service.metric.PerformanceOverviewMetrics;
 import org.apache.iotdb.db.auth.AuthorityChecker;
 import org.apache.iotdb.db.conf.IoTDBConfig;
 import org.apache.iotdb.db.conf.IoTDBDescriptor;
@@ -194,12 +196,44 @@ void autoExtendTemplate(
       List<String> measurementList,
       List<TSDataType> dataTypeList,
       MPPQueryContext context) {
+    long startTime = System.nanoTime();
+    try {
+      String userName = context.getSession().getUserName();
+      if (!AuthorityChecker.SUPER_USER.equals(userName)) {
+        TSStatus status =
+            AuthorityChecker.getTSStatus(
+                AuthorityChecker.checkSystemPermission(
+                    userName, PrivilegeType.EXTEND_TEMPLATE.ordinal()),
+                PrivilegeType.EXTEND_TEMPLATE);
+        if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
+          throw new RuntimeException(new IoTDBException(status.getMessage(), status.getCode()));
+        }
+      }
+    } finally {
+      PerformanceOverviewMetrics.getInstance().recordAuthCost(System.nanoTime() - startTime);
+    }
     internalExtendTemplate(templateName, measurementList, dataTypeList, null, null, context);
   }
 
   // Used for insert records or tablets
   void autoExtendTemplate(
       Map<String, TemplateExtendInfo> templateExtendInfoMap, MPPQueryContext context) {
+    long startTime = System.nanoTime();
+    try {
+      String userName = context.getSession().getUserName();
+      if (!AuthorityChecker.SUPER_USER.equals(userName)) {
+        TSStatus status =
+            AuthorityChecker.getTSStatus(
+                AuthorityChecker.checkSystemPermission(
+                    userName, PrivilegeType.EXTEND_TEMPLATE.ordinal()),
+                PrivilegeType.EXTEND_TEMPLATE);
+        if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
+          throw new RuntimeException(new IoTDBException(status.getMessage(), status.getCode()));
+        }
+      }
+    } finally {
+      PerformanceOverviewMetrics.getInstance().recordAuthCost(System.nanoTime() - startTime);
+    }
     TemplateExtendInfo templateExtendInfo;
     for (Map.Entry<String, TemplateExtendInfo> entry : templateExtendInfoMap.entrySet()) {
       templateExtendInfo = entry.getValue().deduplicate();
@@ -598,22 +632,17 @@ private void internalExtendTemplate(
       List<CompressionType> compressionTypeList,
       MPPQueryContext context) {
 
-    AlterSchemaTemplateStatement statement =
-        new AlterSchemaTemplateStatement(
-            templateName,
-            measurementList,
-            dataTypeList,
-            encodingList,
-            compressionTypeList,
-            TemplateAlterOperationType.EXTEND_TEMPLATE);
-    TSStatus status =
-        AuthorityChecker.checkAuthority(statement, context.getSession().getUserName());
-    if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
-      throw new RuntimeException(new IoTDBException(status.getMessage(), status.getCode()));
-    }
-
-    ExecutionResult executionResult = executeStatement(statement, context);
-    status = executionResult.status;
+    ExecutionResult executionResult =
+        executeStatement(
+            new AlterSchemaTemplateStatement(
+                templateName,
+                measurementList,
+                dataTypeList,
+                encodingList,
+                compressionTypeList,
+                TemplateAlterOperationType.EXTEND_TEMPLATE),
+            context);
+    TSStatus status = executionResult.status;
     if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()
         && status.getCode()
             != TSStatusCode.MEASUREMENT_ALREADY_EXISTS_IN_TEMPLATE.getStatusCode()) {

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/statement/metadata/template/AlterSchemaTemplateStatement.java

@@ -19,10 +19,7 @@
 
 package org.apache.iotdb.db.queryengine.plan.statement.metadata.template;
 
-import org.apache.iotdb.common.rpc.thrift.TSStatus;
-import org.apache.iotdb.commons.auth.entity.PrivilegeType;
 import org.apache.iotdb.commons.path.PartialPath;
-import org.apache.iotdb.db.auth.AuthorityChecker;
 import org.apache.iotdb.db.queryengine.plan.analyze.QueryType;
 import org.apache.iotdb.db.queryengine.plan.statement.IConfigStatement;
 import org.apache.iotdb.db.queryengine.plan.statement.Statement;
@@ -31,7 +28,6 @@
 import org.apache.iotdb.db.schemaengine.template.TemplateAlterOperationType;
 import org.apache.iotdb.db.schemaengine.template.alter.TemplateAlterInfo;
 import org.apache.iotdb.db.schemaengine.template.alter.TemplateExtendInfo;
-import org.apache.iotdb.rpc.TSStatusCode;
 import org.apache.iotdb.tsfile.file.metadata.enums.CompressionType;
 import org.apache.iotdb.tsfile.file.metadata.enums.TSDataType;
 import org.apache.iotdb.tsfile.file.metadata.enums.TSEncoding;
@@ -85,21 +81,6 @@ public List<PartialPath> getPaths() {
     return Collections.emptyList();
   }
 
-  @Override
-  public TSStatus checkPermissionBeforeProcess(String userName) {
-    if (AuthorityChecker.SUPER_USER.equals(userName)) {
-      return new TSStatus(TSStatusCode.SUCCESS_STATUS.getStatusCode());
-    }
-    if (operationType == EXTEND_TEMPLATE) {
-      return AuthorityChecker.getTSStatus(
-          AuthorityChecker.checkSystemPermission(userName, PrivilegeType.EXTEND_TEMPLATE.ordinal()),
-          PrivilegeType.EXTEND_TEMPLATE);
-    } else {
-      return new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
-          .setMessage("Only the admin user can perform this operation");
-    }
-  }
-
   @Override
   public <R, C> R accept(StatementVisitor<R, C> visitor, C context) {
     return visitor.visitAlterSchemaTemplate(this, context);