From a0fffa7eda2b04ffcc42f36e7d76445a0f101642 Mon Sep 17 00:00:00 2001 From: kailixu Date: Thu, 9 May 2024 09:44:09 +0800 Subject: [PATCH 1/8] enh: grant support s3/active-active/dual-replica/db_encryption --- include/common/tgrant.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/common/tgrant.h b/include/common/tgrant.h index 5a2ed5804545..7e7162204e26 100644 --- a/include/common/tgrant.h +++ b/include/common/tgrant.h @@ -56,6 +56,10 @@ typedef enum { TSDB_GRANT_VIEW, TSDB_GRANT_MULTI_TIER, TSDB_GRANT_BACKUP_RESTORE, + TSDB_GRANT_OBJECT_STORAGE, + TSDB_GRANT_ACTIVE_ACTIVE, + TSDB_GRANT_DUAL_REPLICA_HA, + TSDB_GRANT_DB_ENCRYPTION, } EGrantType; int32_t checkAndGetCryptKey(const char *encryptCode, const char *machineId, char **key); From e5547eccbf5825665f6b5fb49544d2acd373fbc9 Mon Sep 17 00:00:00 2001 From: dmchen Date: Thu, 9 May 2024 02:44:38 +0000 Subject: [PATCH 2/8] encrypt grant --- include/util/taoserror.h | 1 + source/dnode/mnode/impl/src/mndDb.c | 7 +++++++ source/util/src/terror.c | 1 + 3 files changed, 9 insertions(+) diff --git a/include/util/taoserror.h b/include/util/taoserror.h index 03a024bb8c7a..dafdac9649da 100644 --- a/include/util/taoserror.h +++ b/include/util/taoserror.h @@ -327,6 +327,7 @@ int32_t* taosGetErrno(); #define TSDB_CODE_MND_DB_IN_CREATING TAOS_DEF_ERROR_CODE(0, 0x0396) // #define TSDB_CODE_MND_INVALID_SYS_TABLENAME TAOS_DEF_ERROR_CODE(0, 0x039A) #define TSDB_CODE_MND_ENCRYPT_NOT_ALLOW_CHANGE TAOS_DEF_ERROR_CODE(0, 0x039B) +#define TSDB_CODE_MND_DB_ENCRYPT_GRANT_EXPIRED TAOS_DEF_ERROR_CODE(0, 0x039C) // mnode-node #define TSDB_CODE_MND_MNODE_ALREADY_EXIST TAOS_DEF_ERROR_CODE(0, 0x03A0) diff --git a/source/dnode/mnode/impl/src/mndDb.c b/source/dnode/mnode/impl/src/mndDb.c index 6d638dab3b23..48569c06003b 100644 --- a/source/dnode/mnode/impl/src/mndDb.c +++ b/source/dnode/mnode/impl/src/mndDb.c @@ -843,6 +843,13 @@ static int32_t mndCheckDbEncryptKey(SMnode *pMnode, SCreateDbReq *pReq) { } sdbRelease(pSdb, pDnode); } + + if(grantCheck(TSDB_GRANT_DB_ENCRYPTION) != 0){ + code = TSDB_CODE_MND_DB_ENCRYPT_GRANT_EXPIRED; + errno = code; + mError("db:%s, failed to create db since %s", pReq->db, terrstr()); + goto _exit; + } #else if (pReq->encryptAlgorithm != TSDB_ENCRYPT_ALGO_NONE) { code = TSDB_CODE_MND_INVALID_DB_OPTION; diff --git a/source/util/src/terror.c b/source/util/src/terror.c index 3ef656b2b406..a0b4a74ca75f 100644 --- a/source/util/src/terror.c +++ b/source/util/src/terror.c @@ -259,6 +259,7 @@ TAOS_DEFINE_ERROR(TSDB_CODE_MND_DB_IN_CREATING, "Database in creating TAOS_DEFINE_ERROR(TSDB_CODE_MND_ENCRYPT_NOT_ALLOW_CHANGE, "Encryption is not allowed to be changed after database is created") TAOS_DEFINE_ERROR(TSDB_CODE_MND_INCONSIST_ENCRYPT_KEY, "Inconsistent encryption key") TAOS_DEFINE_ERROR(TSDB_CODE_MND_INVALID_ENCRYPT_KEY, "The cluster has not been set properly for database encryption") +TAOS_DEFINE_ERROR(TSDB_CODE_MND_DB_ENCRYPT_GRANT_EXPIRED, "The database encryption funtion grant expired") // mnode-node TAOS_DEFINE_ERROR(TSDB_CODE_MND_MNODE_ALREADY_EXIST, "Mnode already exists") From 41eb82c4de76adfc1daae84e12934043d1241c0f Mon Sep 17 00:00:00 2001 From: Minglei Jin Date: Thu, 9 May 2024 15:14:37 +0800 Subject: [PATCH 3/8] enh(s3/grant): disable s3 with expired grant --- source/dnode/mgmt/node_mgmt/CMakeLists.txt | 5 +++++ source/dnode/mgmt/node_mgmt/src/dmEnv.c | 8 ++++++++ 2 files changed, 13 insertions(+) diff --git a/source/dnode/mgmt/node_mgmt/CMakeLists.txt b/source/dnode/mgmt/node_mgmt/CMakeLists.txt index 82b9384d6606..4f362f5a7437 100644 --- a/source/dnode/mgmt/node_mgmt/CMakeLists.txt +++ b/source/dnode/mgmt/node_mgmt/CMakeLists.txt @@ -16,6 +16,11 @@ IF (DEFINED GRANT_CFG_INCLUDE_DIR) add_definitions(-DGRANTS_CFG) ENDIF() +IF (TD_GRANT) + ADD_DEFINITIONS(-D_GRANT) + TARGET_LINK_LIBRARIES(dnode grant) +ENDIF () + target_include_directories( dnode PRIVATE "${CMAKE_CURRENT_SOURCE_DIR}/inc" diff --git a/source/dnode/mgmt/node_mgmt/src/dmEnv.c b/source/dnode/mgmt/node_mgmt/src/dmEnv.c index 12712d65853e..4619214f4009 100644 --- a/source/dnode/mgmt/node_mgmt/src/dmEnv.c +++ b/source/dnode/mgmt/node_mgmt/src/dmEnv.c @@ -17,6 +17,7 @@ #include "dmMgmt.h" #include "audit.h" #include "libs/function/tudf.h" +#include "tgrant.h" #define DM_INIT_AUDIT() \ do { \ @@ -150,6 +151,7 @@ static bool dmCheckDataDirVersion() { extern int32_t s3Begin(); extern void s3End(); +extern int8_t tsS3Enabled; #endif @@ -164,6 +166,12 @@ int32_t dmInit() { if (dmInitAudit() != 0) return -1; if (dmInitDnode(dmInstance()) != 0) return -1; #if defined(USE_S3) + int32_t expired = grantCheck(TSDB_GRANT_OBJECT_STORAGE); + if (expired && tsS3Enabled) { + dWarn("s3 grant expired: %d", expired); + tsS3Enabled = false; + } + if (s3Begin() != 0) return -1; #endif From 7418711878ff8c3385f72625fbbb05b18cd5aae3 Mon Sep 17 00:00:00 2001 From: kailixu Date: Fri, 10 May 2024 17:25:33 +0800 Subject: [PATCH 4/8] test: test case for show grants full --- .../0-others/information_schema.py | 25 ++++++++++++------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/tests/system-test/0-others/information_schema.py b/tests/system-test/0-others/information_schema.py index 2924ebd38810..944b2fbb1ef3 100644 --- a/tests/system-test/0-others/information_schema.py +++ b/tests/system-test/0-others/information_schema.py @@ -269,13 +269,17 @@ def ins_dnodes_check(self): def ins_grants_check(self): grant_name_dict = { - 'stream':'stream', - 'subscription':'subscription', - 'view':'view', - 'audit':'audit', - 'csv':'csv', - 'storage':'multi_tier_storage', - 'backup_restore':'backup_restore', + 'stream':'Stream', + 'subscription':'Subscription', + 'view':'View', + 'audit':'Audit', + 'csv':'CSV', + 'storage':'Multi-Tier Storage', + 'backup_restore':'Data Backup & Restore', + 'object_storage':'Object Storage', + 'active_active':'Active-Active', + 'dual_replica':'Dual-Replica HA', + 'db_encryption':'Database Encryption', 'opc_da':'OPC_DA', 'opc_ua':'OPC_UA', 'pi':'Pi', @@ -285,7 +289,10 @@ def ins_grants_check(self): 'avevahistorian':'avevaHistorian', 'opentsdb':'OpenTSDB', 'td2.6':'TDengine2.6', - 'td3.0':'TDengine3.0' + 'td3.0':'TDengine3.0', + 'mysql':'MySQL', + 'postgres':'PostgreSQL', + 'oracle':'Oracle', } tdSql.execute('drop database if exists db2') @@ -297,7 +304,7 @@ def ins_grants_check(self): if result[i][0] in grant_name_dict: tdSql.checkEqual(result[i][1], grant_name_dict[result[i][0]]) index += 1 - tdSql.checkEqual(index, 17) + tdSql.checkEqual(index, 24) tdSql.query(f'select * from information_schema.ins_grants_logs') result = tdSql.queryResult tdSql.checkEqual(True, len(result) >= 0) From 9cf2529cacf7d78525588114a49372386db24045 Mon Sep 17 00:00:00 2001 From: dmchen Date: Sat, 11 May 2024 02:12:31 +0000 Subject: [PATCH 5/8] check grant first --- source/dnode/mnode/impl/src/mndDb.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/source/dnode/mnode/impl/src/mndDb.c b/source/dnode/mnode/impl/src/mndDb.c index 48569c06003b..9bc370c466ae 100644 --- a/source/dnode/mnode/impl/src/mndDb.c +++ b/source/dnode/mnode/impl/src/mndDb.c @@ -820,6 +820,13 @@ static int32_t mndCheckDbEncryptKey(SMnode *pMnode, SCreateDbReq *pReq) { void *pIter = NULL; #ifdef TD_ENTERPRISE + if(grantCheck(TSDB_GRANT_DB_ENCRYPTION) != 0){ + code = TSDB_CODE_MND_DB_ENCRYPT_GRANT_EXPIRED; + errno = code; + mError("db:%s, failed to create db since %s", pReq->db, terrstr()); + goto _exit; + } + if (pReq->encryptAlgorithm == TSDB_ENCRYPT_ALGO_NONE) goto _exit; if (tsEncryptionKeyStat != ENCRYPT_KEY_STAT_LOADED) { code = TSDB_CODE_MND_INVALID_ENCRYPT_KEY; @@ -844,12 +851,6 @@ static int32_t mndCheckDbEncryptKey(SMnode *pMnode, SCreateDbReq *pReq) { sdbRelease(pSdb, pDnode); } - if(grantCheck(TSDB_GRANT_DB_ENCRYPTION) != 0){ - code = TSDB_CODE_MND_DB_ENCRYPT_GRANT_EXPIRED; - errno = code; - mError("db:%s, failed to create db since %s", pReq->db, terrstr()); - goto _exit; - } #else if (pReq->encryptAlgorithm != TSDB_ENCRYPT_ALGO_NONE) { code = TSDB_CODE_MND_INVALID_DB_OPTION; From c575d7a8505a7135ad30d9da262613432460b003 Mon Sep 17 00:00:00 2001 From: Shungang Li Date: Thu, 9 May 2024 10:12:28 +0800 Subject: [PATCH 6/8] enh: grant check for dual-replica-ha --- source/dnode/mnode/impl/src/mndDb.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/source/dnode/mnode/impl/src/mndDb.c b/source/dnode/mnode/impl/src/mndDb.c index 9bc370c466ae..9dc06c802caa 100644 --- a/source/dnode/mnode/impl/src/mndDb.c +++ b/source/dnode/mnode/impl/src/mndDb.c @@ -911,6 +911,13 @@ static int32_t mndProcessCreateDbReq(SRpcMsg *pReq) { goto _OVER; } + if (createReq.replications == 2) { + if ((terrno = grantCheck(TSDB_GRANT_DUAL_REPLICA_HA)) != 0) { + code = terrno; + goto _OVER; + } + } + if ((code = mndCheckDbEncryptKey(pMnode, &createReq)) != 0) { terrno = code; goto _OVER; @@ -1171,6 +1178,12 @@ static int32_t mndProcessAlterDbReq(SRpcMsg *pReq) { goto _OVER; } + if (alterReq.replications == 2) { + if ((code = grantCheck(TSDB_GRANT_DUAL_REPLICA_HA)) != 0) { + goto _OVER; + } + } + int32_t numOfTopics = 0; if (mndGetNumOfTopics(pMnode, pDb->name, &numOfTopics) != 0) { goto _OVER; From e3442474cfccfb0293a78cbf904339b18a0065ee Mon Sep 17 00:00:00 2001 From: kailixu Date: Sun, 12 May 2024 23:09:56 +0800 Subject: [PATCH 7/8] fix: grants for database encryption --- source/dnode/mnode/impl/src/mndDb.c | 8 ++------ source/util/src/terror.c | 2 +- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/source/dnode/mnode/impl/src/mndDb.c b/source/dnode/mnode/impl/src/mndDb.c index 9dc06c802caa..f254fb16a525 100644 --- a/source/dnode/mnode/impl/src/mndDb.c +++ b/source/dnode/mnode/impl/src/mndDb.c @@ -820,14 +820,11 @@ static int32_t mndCheckDbEncryptKey(SMnode *pMnode, SCreateDbReq *pReq) { void *pIter = NULL; #ifdef TD_ENTERPRISE - if(grantCheck(TSDB_GRANT_DB_ENCRYPTION) != 0){ + if (pReq->encryptAlgorithm == TSDB_ENCRYPT_ALGO_NONE) goto _exit; + if (grantCheck(TSDB_GRANT_DB_ENCRYPTION) != 0) { code = TSDB_CODE_MND_DB_ENCRYPT_GRANT_EXPIRED; - errno = code; - mError("db:%s, failed to create db since %s", pReq->db, terrstr()); goto _exit; } - - if (pReq->encryptAlgorithm == TSDB_ENCRYPT_ALGO_NONE) goto _exit; if (tsEncryptionKeyStat != ENCRYPT_KEY_STAT_LOADED) { code = TSDB_CODE_MND_INVALID_ENCRYPT_KEY; mError("db:%s, failed to check encryption key:%" PRIi8 " in mnode leader since it's not loaded", pReq->db, @@ -850,7 +847,6 @@ static int32_t mndCheckDbEncryptKey(SMnode *pMnode, SCreateDbReq *pReq) { } sdbRelease(pSdb, pDnode); } - #else if (pReq->encryptAlgorithm != TSDB_ENCRYPT_ALGO_NONE) { code = TSDB_CODE_MND_INVALID_DB_OPTION; diff --git a/source/util/src/terror.c b/source/util/src/terror.c index a0b4a74ca75f..daf0d2fe7896 100644 --- a/source/util/src/terror.c +++ b/source/util/src/terror.c @@ -259,7 +259,7 @@ TAOS_DEFINE_ERROR(TSDB_CODE_MND_DB_IN_CREATING, "Database in creating TAOS_DEFINE_ERROR(TSDB_CODE_MND_ENCRYPT_NOT_ALLOW_CHANGE, "Encryption is not allowed to be changed after database is created") TAOS_DEFINE_ERROR(TSDB_CODE_MND_INCONSIST_ENCRYPT_KEY, "Inconsistent encryption key") TAOS_DEFINE_ERROR(TSDB_CODE_MND_INVALID_ENCRYPT_KEY, "The cluster has not been set properly for database encryption") -TAOS_DEFINE_ERROR(TSDB_CODE_MND_DB_ENCRYPT_GRANT_EXPIRED, "The database encryption funtion grant expired") +TAOS_DEFINE_ERROR(TSDB_CODE_MND_DB_ENCRYPT_GRANT_EXPIRED, "The database encryption function grant expired") // mnode-node TAOS_DEFINE_ERROR(TSDB_CODE_MND_MNODE_ALREADY_EXIST, "Mnode already exists") From b6eec20dfbc851193e1fe883da1cc1fde38b2c05 Mon Sep 17 00:00:00 2001 From: Minglei Jin Date: Mon, 13 May 2024 19:10:55 +0800 Subject: [PATCH 8/8] fix(s3/grant): checking grant when doing migrate --- source/common/src/tglobal.c | 2 ++ source/dnode/mgmt/node_mgmt/CMakeLists.txt | 5 ----- source/dnode/mgmt/node_mgmt/src/dmEnv.c | 6 ------ source/dnode/vnode/src/tsdb/tsdbRetention.c | 10 ++++++++++ 4 files changed, 12 insertions(+), 11 deletions(-) diff --git a/source/common/src/tglobal.c b/source/common/src/tglobal.c index 8b7901e2a75b..f4999ed368fa 100644 --- a/source/common/src/tglobal.c +++ b/source/common/src/tglobal.c @@ -296,6 +296,7 @@ char tsS3AccessKeySecret[TSDB_FQDN_LEN] = ""; char tsS3BucketName[TSDB_FQDN_LEN] = ""; char tsS3AppId[TSDB_FQDN_LEN] = ""; int8_t tsS3Enabled = false; +int8_t tsS3EnabledCfg = false; int8_t tsS3Oss = false; int8_t tsS3StreamEnabled = false; @@ -375,6 +376,7 @@ int32_t taosSetS3Cfg(SConfig *pCfg) { #if defined(USE_COS) || defined(USE_S3) #ifdef TD_ENTERPRISE /*if (tsDiskCfgNum > 1) */ tsS3Enabled = true; + tsS3EnabledCfg = true; #endif tsS3StreamEnabled = true; #endif diff --git a/source/dnode/mgmt/node_mgmt/CMakeLists.txt b/source/dnode/mgmt/node_mgmt/CMakeLists.txt index 4f362f5a7437..82b9384d6606 100644 --- a/source/dnode/mgmt/node_mgmt/CMakeLists.txt +++ b/source/dnode/mgmt/node_mgmt/CMakeLists.txt @@ -16,11 +16,6 @@ IF (DEFINED GRANT_CFG_INCLUDE_DIR) add_definitions(-DGRANTS_CFG) ENDIF() -IF (TD_GRANT) - ADD_DEFINITIONS(-D_GRANT) - TARGET_LINK_LIBRARIES(dnode grant) -ENDIF () - target_include_directories( dnode PRIVATE "${CMAKE_CURRENT_SOURCE_DIR}/inc" diff --git a/source/dnode/mgmt/node_mgmt/src/dmEnv.c b/source/dnode/mgmt/node_mgmt/src/dmEnv.c index 4619214f4009..8e760c28be2d 100644 --- a/source/dnode/mgmt/node_mgmt/src/dmEnv.c +++ b/source/dnode/mgmt/node_mgmt/src/dmEnv.c @@ -166,12 +166,6 @@ int32_t dmInit() { if (dmInitAudit() != 0) return -1; if (dmInitDnode(dmInstance()) != 0) return -1; #if defined(USE_S3) - int32_t expired = grantCheck(TSDB_GRANT_OBJECT_STORAGE); - if (expired && tsS3Enabled) { - dWarn("s3 grant expired: %d", expired); - tsS3Enabled = false; - } - if (s3Begin() != 0) return -1; #endif diff --git a/source/dnode/vnode/src/tsdb/tsdbRetention.c b/source/dnode/vnode/src/tsdb/tsdbRetention.c index 5a138d2bed94..f4344296b440 100644 --- a/source/dnode/vnode/src/tsdb/tsdbRetention.c +++ b/source/dnode/vnode/src/tsdb/tsdbRetention.c @@ -757,6 +757,16 @@ static int32_t tsdbDoS3MigrateAsync(void *arg) { int32_t tsdbS3Migrate(STsdb *tsdb, int64_t now, int32_t sync) { int32_t code = 0; + extern int8_t tsS3EnabledCfg; + + int32_t expired = grantCheck(TSDB_GRANT_OBJECT_STORAGE); + if (expired && tsS3Enabled) { + tsdbWarn("s3 grant expired: %d", expired); + tsS3Enabled = false; + } else if (!expired && tsS3EnabledCfg) { + tsS3Enabled = true; + } + if (!tsS3Enabled) { return code; }