feat: table level privilege

include/common/tmsg.h

@@ -181,12 +181,8 @@ typedef enum _mgmt_table {
 #define TSDB_ALTER_USER_REMOVE_READ_TABLE      0xE
 #define TSDB_ALTER_USER_ADD_WRITE_TABLE        0xF
 #define TSDB_ALTER_USER_REMOVE_WRITE_TABLE     0x10
-#define TSDB_ALTER_USER_ADD_READ_TAG           0x11
+#define TSDB_ALTER_USER_ADD_ALL_TABLE          0x11
-#define TSDB_ALTER_USER_REMOVE_READ_TAG        0x12
+#define TSDB_ALTER_USER_REMOVE_ALL_TABLE       0x12
-#define TSDB_ALTER_USER_ADD_WRITE_TAG          0x13
-#define TSDB_ALTER_USER_REMOVE_WRITE_TAG       0x14
-#define TSDB_ALTER_USER_ADD_ALL_TABLE          0x15
-#define TSDB_ALTER_USER_REMOVE_ALL_TABLE       0x16
 
 #define TSDB_ALTER_USER_PRIVILEGES 0x2
 
@@ -713,6 +709,7 @@ typedef struct {
   SHashObj* writeDbs;
   SHashObj* readTbs;
   SHashObj* writeTbs;
+  SHashObj* useDbs;
 } SGetUserAuthRsp;
 
 int32_t tSerializeSGetUserAuthRsp(void* buf, int32_t bufLen, SGetUserAuthRsp* pRsp);

source/common/src/tmsg.c

@@ -1445,14 +1445,10 @@ int32_t tSerializeSGetUserAuthRspImpl(SEncoder *pEncoder, SGetUserAuthRsp *pRsp)
   int32_t numOfCreatedDbs = taosHashGetSize(pRsp->createdDbs);
   int32_t numOfReadDbs = taosHashGetSize(pRsp->readDbs);
   int32_t numOfWriteDbs = taosHashGetSize(pRsp->writeDbs);
-  int32_t numOfReadTbs = taosHashGetSize(pRsp->readTbs);
-  int32_t numOfWriteTbs = taosHashGetSize(pRsp->writeTbs);
 
   if (tEncodeI32(pEncoder, numOfCreatedDbs) < 0) return -1;
   if (tEncodeI32(pEncoder, numOfReadDbs) < 0) return -1;
   if (tEncodeI32(pEncoder, numOfWriteDbs) < 0) return -1;
-  if (tEncodeI32(pEncoder, numOfReadTbs) < 0) return -1;
-  if (tEncodeI32(pEncoder, numOfWriteTbs) < 0) return -1;
 
   char *db = taosHashIterate(pRsp->createdDbs, NULL);
   while (db != NULL) {
@@ -1472,6 +1468,13 @@ int32_t tSerializeSGetUserAuthRspImpl(SEncoder *pEncoder, SGetUserAuthRsp *pRsp)
     db = taosHashIterate(pRsp->writeDbs, db);
   }
 
+  int32_t numOfReadTbs = taosHashGetSize(pRsp->readTbs);
+  int32_t numOfWriteTbs = taosHashGetSize(pRsp->writeTbs);
+  int32_t numOfUseTbs = taosHashGetSize(pRsp->useDbs);
+  if (tEncodeI32(pEncoder, numOfReadTbs) < 0) return -1;
+  if (tEncodeI32(pEncoder, numOfWriteTbs) < 0) return -1;
+  if (tEncodeI32(pEncoder, numOfUseTbs) < 0) return -1;
+
   char *tb = taosHashIterate(pRsp->readTbs, NULL);
   while (tb != NULL) {
     size_t keyLen = 0;
@@ -1502,6 +1505,17 @@ int32_t tSerializeSGetUserAuthRspImpl(SEncoder *pEncoder, SGetUserAuthRsp *pRsp)
     tb = taosHashIterate(pRsp->writeTbs, tb);
   }
 
+  int32_t *useDb = taosHashIterate(pRsp->useDbs, NULL);
+  while (useDb != NULL) {
+    size_t keyLen = 0;
+    void  *key = taosHashGetKey(useDb, &keyLen);
+    if (tEncodeI32(pEncoder, keyLen) < 0) return -1;
+    if (tEncodeCStr(pEncoder, key) < 0) return -1;
+
+    if (tEncodeI32(pEncoder, *useDb) < 0) return -1;
+    useDb = taosHashIterate(pRsp->useDbs, useDb);
+  }
+
   return 0;
 }
 
@@ -1526,7 +1540,9 @@ int32_t tDeserializeSGetUserAuthRspImpl(SDecoder *pDecoder, SGetUserAuthRsp *pRs
   pRsp->writeDbs = taosHashInit(4, taosGetDefaultHashFunction(TSDB_DATA_TYPE_BINARY), true, HASH_ENTRY_LOCK);
   pRsp->readTbs = taosHashInit(4, taosGetDefaultHashFunction(TSDB_DATA_TYPE_BINARY), true, HASH_ENTRY_LOCK);
   pRsp->writeTbs = taosHashInit(4, taosGetDefaultHashFunction(TSDB_DATA_TYPE_BINARY), true, HASH_ENTRY_LOCK);
-  if (pRsp->readDbs == NULL || pRsp->writeDbs == NULL) {
+  pRsp->useDbs = taosHashInit(4, taosGetDefaultHashFunction(TSDB_DATA_TYPE_BINARY), true, HASH_ENTRY_LOCK);
+  if (pRsp->createdDbs == NULL || pRsp->readDbs == NULL || pRsp->writeDbs == NULL || pRsp->readTbs == NULL ||
+      pRsp->writeTbs == NULL || pRsp->useDbs == NULL) {
     return -1;
   }
 
@@ -1540,13 +1556,9 @@ int32_t tDeserializeSGetUserAuthRspImpl(SDecoder *pDecoder, SGetUserAuthRsp *pRs
   int32_t numOfCreatedDbs = 0;
   int32_t numOfReadDbs = 0;
   int32_t numOfWriteDbs = 0;
-  int32_t numOfReadTbs = 0;
-  int32_t numOfWriteTbs = 0;
   if (tDecodeI32(pDecoder, &numOfCreatedDbs) < 0) return -1;
   if (tDecodeI32(pDecoder, &numOfReadDbs) < 0) return -1;
   if (tDecodeI32(pDecoder, &numOfWriteDbs) < 0) return -1;
-  if (tDecodeI32(pDecoder, &numOfReadTbs) < 0) return -1;
-  if (tDecodeI32(pDecoder, &numOfWriteTbs) < 0) return -1;
 
   for (int32_t i = 0; i < numOfCreatedDbs; ++i) {
     char db[TSDB_DB_FNAME_LEN] = {0};
@@ -1569,6 +1581,14 @@ int32_t tDeserializeSGetUserAuthRspImpl(SDecoder *pDecoder, SGetUserAuthRsp *pRs
     taosHashPut(pRsp->writeDbs, db, len, db, len);
   }
 
+  if (!tDecodeIsEnd(pDecoder)) {
+    int32_t numOfReadTbs = 0;
+    int32_t numOfWriteTbs = 0;
+    int32_t numOfUseDbs = 0;
+    if (tDecodeI32(pDecoder, &numOfReadTbs) < 0) return -1;
+    if (tDecodeI32(pDecoder, &numOfWriteTbs) < 0) return -1;
+    if (tDecodeI32(pDecoder, &numOfUseDbs) < 0) return -1;
+
     for (int32_t i = 0; i < numOfReadTbs; ++i) {
       int32_t keyLen = 0;
       if (tDecodeI32(pDecoder, &keyLen) < 0) return -1;
@@ -1581,7 +1601,7 @@ int32_t tDeserializeSGetUserAuthRspImpl(SDecoder *pDecoder, SGetUserAuthRsp *pRs
       char *value = taosMemoryCalloc(valuelen + 1, sizeof(char));
       if (tDecodeCStrTo(pDecoder, value) < 0) return -1;
 
-    taosHashPut(pRsp->readTbs, key, strlen(key), value, valuelen);
+      taosHashPut(pRsp->readTbs, key, strlen(key), value, valuelen + 1);
 
       taosMemoryFree(key);
       taosMemoryFree(value);
@@ -1599,12 +1619,25 @@ int32_t tDeserializeSGetUserAuthRspImpl(SDecoder *pDecoder, SGetUserAuthRsp *pRs
       char *value = taosMemoryCalloc(valuelen + 1, sizeof(char));
       if (tDecodeCStrTo(pDecoder, value) < 0) return -1;
 
-    taosHashPut(pRsp->writeTbs, key, strlen(key), value, valuelen);
+      taosHashPut(pRsp->writeTbs, key, strlen(key), value, valuelen + 1);
 
       taosMemoryFree(key);
       taosMemoryFree(value);
     }
 
+    for (int32_t i = 0; i < numOfUseDbs; ++i) {
+      int32_t keyLen = 0;
+      if (tDecodeI32(pDecoder, &keyLen) < 0) return -1;
+
+      char *key = taosMemoryCalloc(keyLen + 1, sizeof(char));
+      if (tDecodeCStrTo(pDecoder, key) < 0) return -1;
+
+      int32_t ref = 0;
+      if (tDecodeI32(pDecoder, &ref) < 0) return -1;
+      taosHashPut(pRsp->useDbs, key, strlen(key), &ref, sizeof(ref));
+    }
+  }
+
   return 0;
 }
 
@@ -1628,6 +1661,7 @@ void tFreeSGetUserAuthRsp(SGetUserAuthRsp *pRsp) {
   taosHashCleanup(pRsp->writeDbs);
   taosHashCleanup(pRsp->writeTbs);
   taosHashCleanup(pRsp->readTbs);
+  taosHashCleanup(pRsp->useDbs);
 }
 
 int32_t tSerializeSCreateDropMQSNodeReq(void *buf, int32_t bufLen, SMCreateQnodeReq *pReq) {

source/dnode/mnode/impl/inc/mndDef.h

@@ -282,6 +282,7 @@ typedef struct {
   SHashObj* topics;
   SHashObj* readTbs;
   SHashObj* writeTbs;
+  SHashObj* useDbs;
   SRWLatch  lock;
 } SUserObj;
 

source/dnode/mnode/impl/src/mndUser.c

@@ -128,8 +128,9 @@ SSdbRaw *mndUserActionEncode(SUserObj *pUser) {
   int32_t numOfReadStbs = taosHashGetSize(pUser->readTbs);
   int32_t numOfWriteStbs = taosHashGetSize(pUser->writeTbs);
   int32_t numOfTopics = taosHashGetSize(pUser->topics);
-  int32_t size = sizeof(SUserObj) + USER_RESERVE_SIZE + (numOfReadDbs + numOfWriteDbs) * TSDB_DB_FNAME_LEN +
+  int32_t numOfUseDbs = taosHashGetSize(pUser->useDbs);
-                 numOfTopics * TSDB_TOPIC_FNAME_LEN;
+  int32_t size = sizeof(SUserObj) + USER_RESERVE_SIZE +
+                 (numOfReadDbs + numOfWriteDbs + numOfUseDbs) * TSDB_DB_FNAME_LEN + numOfTopics * TSDB_TOPIC_FNAME_LEN;
 
   char *stb = taosHashIterate(pUser->readTbs, NULL);
   while (stb != NULL) {
@@ -176,8 +177,6 @@ SSdbRaw *mndUserActionEncode(SUserObj *pUser) {
   SDB_SET_INT32(pRaw, dataPos, numOfReadDbs, _OVER)
   SDB_SET_INT32(pRaw, dataPos, numOfWriteDbs, _OVER)
   SDB_SET_INT32(pRaw, dataPos, numOfTopics, _OVER)
-  SDB_SET_INT32(pRaw, dataPos, numOfReadStbs, _OVER)
-  SDB_SET_INT32(pRaw, dataPos, numOfWriteStbs, _OVER)
 
   char *db = taosHashIterate(pUser->readDbs, NULL);
   while (db != NULL) {
@@ -197,6 +196,10 @@ SSdbRaw *mndUserActionEncode(SUserObj *pUser) {
     topic = taosHashIterate(pUser->topics, topic);
   }
 
+  SDB_SET_INT32(pRaw, dataPos, numOfReadStbs, _OVER)
+  SDB_SET_INT32(pRaw, dataPos, numOfWriteStbs, _OVER)
+  SDB_SET_INT32(pRaw, dataPos, numOfUseDbs, _OVER)
+
   stb = taosHashIterate(pUser->readTbs, NULL);
   while (stb != NULL) {
     size_t keyLen = 0;
@@ -225,6 +228,17 @@ SSdbRaw *mndUserActionEncode(SUserObj *pUser) {
     stb = taosHashIterate(pUser->writeTbs, stb);
   }
 
+  int32_t *useDb = taosHashIterate(pUser->useDbs, NULL);
+  while (useDb != NULL) {
+    size_t keyLen = 0;
+    void  *key = taosHashGetKey(useDb, &keyLen);
+    SDB_SET_INT32(pRaw, dataPos, keyLen, _OVER)
+    SDB_SET_BINARY(pRaw, dataPos, key, keyLen, _OVER);
+
+    SDB_SET_INT32(pRaw, dataPos, *useDb, _OVER)
+    useDb = taosHashIterate(pUser->writeTbs, useDb);
+  }
+
   SDB_SET_RESERVE(pRaw, dataPos, USER_RESERVE_SIZE, _OVER)
   SDB_SET_DATALEN(pRaw, dataPos, _OVER)
 
@@ -275,26 +289,16 @@ static SSdbRow *mndUserActionDecode(SSdbRaw *pRaw) {
   int32_t numOfReadDbs = 0;
   int32_t numOfWriteDbs = 0;
   int32_t numOfTopics = 0;
-  int32_t numOfReadStbs = 0;
-  int32_t numOfWriteStbs = 0;
   SDB_GET_INT32(pRaw, dataPos, &numOfReadDbs, _OVER)
   SDB_GET_INT32(pRaw, dataPos, &numOfWriteDbs, _OVER)
   if (sver >= 2) {
     SDB_GET_INT32(pRaw, dataPos, &numOfTopics, _OVER)
   }
-  if (sver >= 3) {
-    SDB_GET_INT32(pRaw, dataPos, &numOfReadStbs, _OVER)
-    SDB_GET_INT32(pRaw, dataPos, &numOfWriteStbs, _OVER)
-  }
 
   pUser->readDbs = taosHashInit(numOfReadDbs, taosGetDefaultHashFunction(TSDB_DATA_TYPE_BINARY), true, HASH_ENTRY_LOCK);
   pUser->writeDbs =
       taosHashInit(numOfWriteDbs, taosGetDefaultHashFunction(TSDB_DATA_TYPE_BINARY), true, HASH_ENTRY_LOCK);
   pUser->topics = taosHashInit(numOfTopics, taosGetDefaultHashFunction(TSDB_DATA_TYPE_BINARY), true, HASH_ENTRY_LOCK);
-  pUser->readTbs =
-      taosHashInit(numOfReadStbs, taosGetDefaultHashFunction(TSDB_DATA_TYPE_BINARY), true, HASH_ENTRY_LOCK);
-  pUser->writeTbs =
-      taosHashInit(numOfWriteStbs, taosGetDefaultHashFunction(TSDB_DATA_TYPE_BINARY), true, HASH_ENTRY_LOCK);
   if (pUser->readDbs == NULL || pUser->writeDbs == NULL || pUser->topics == NULL) goto _OVER;
 
   for (int32_t i = 0; i < numOfReadDbs; ++i) {
@@ -321,6 +325,19 @@ static SSdbRow *mndUserActionDecode(SSdbRaw *pRaw) {
   }
 
   if (sver >= 3) {
+    int32_t numOfReadStbs = 0;
+    int32_t numOfWriteStbs = 0;
+    int32_t numOfUseDbs = 0;
+    SDB_GET_INT32(pRaw, dataPos, &numOfReadStbs, _OVER)
+    SDB_GET_INT32(pRaw, dataPos, &numOfWriteStbs, _OVER)
+    SDB_GET_INT32(pRaw, dataPos, &numOfUseDbs, _OVER)
+
+    pUser->readTbs =
+        taosHashInit(numOfReadStbs, taosGetDefaultHashFunction(TSDB_DATA_TYPE_BINARY), true, HASH_ENTRY_LOCK);
+    pUser->writeTbs =
+        taosHashInit(numOfWriteStbs, taosGetDefaultHashFunction(TSDB_DATA_TYPE_BINARY), true, HASH_ENTRY_LOCK);
+    pUser->useDbs = taosHashInit(numOfUseDbs, taosGetDefaultHashFunction(TSDB_DATA_TYPE_BINARY), true, HASH_ENTRY_LOCK);
+
     for (int32_t i = 0; i < numOfReadStbs; ++i) {
       int32_t keyLen = 0;
       SDB_GET_INT32(pRaw, dataPos, &keyLen, _OVER);
@@ -332,7 +349,7 @@ static SSdbRow *mndUserActionDecode(SSdbRaw *pRaw) {
       int32_t valuelen = 0;
       SDB_GET_INT32(pRaw, dataPos, &valuelen, _OVER);
       char *value = taosMemoryCalloc(valuelen, sizeof(char));
-      memset(value, 0, keyLen);
+      memset(value, 0, valuelen);
       SDB_GET_BINARY(pRaw, dataPos, value, valuelen, _OVER)
 
       taosHashPut(pUser->readTbs, key, keyLen, value, valuelen);
@@ -360,6 +377,20 @@ static SSdbRow *mndUserActionDecode(SSdbRaw *pRaw) {
       taosMemoryFree(key);
       taosMemoryFree(value);
     }
+
+    for (int32_t i = 0; i < numOfUseDbs; ++i) {
+      int32_t keyLen = 0;
+      SDB_GET_INT32(pRaw, dataPos, &keyLen, _OVER);
+
+      char *key = taosMemoryCalloc(keyLen, sizeof(char));
+      memset(key, 0, keyLen);
+      SDB_GET_BINARY(pRaw, dataPos, key, keyLen, _OVER);
+
+      int32_t ref = 0;
+      SDB_GET_INT32(pRaw, dataPos, &ref, _OVER);
+
+      taosHashPut(pUser->useDbs, key, keyLen, &ref, sizeof(ref));
+    }
   }
 
   SDB_GET_RESERVE(pRaw, dataPos, USER_RESERVE_SIZE, _OVER)
@@ -376,6 +407,7 @@ _OVER:
       taosHashCleanup(pUser->topics);
       taosHashCleanup(pUser->readTbs);
       taosHashCleanup(pUser->writeTbs);
+      taosHashCleanup(pUser->useDbs);
     }
     taosMemoryFreeClear(pRow);
     return NULL;
@@ -437,6 +469,7 @@ static int32_t mndUserDupObj(SUserObj *pUser, SUserObj *pNew) {
   pNew->readTbs = mndDupTableHash(pUser->readTbs);
   pNew->writeTbs = mndDupTableHash(pUser->writeTbs);
   pNew->topics = mndDupTopicHash(pUser->topics);
+  pNew->useDbs = mndDupDbHash(pUser->useDbs);
   taosRUnLockLatch(&pUser->lock);
 
   if (pNew->readDbs == NULL || pNew->writeDbs == NULL || pNew->topics == NULL) {
@@ -451,11 +484,13 @@ static void mndUserFreeObj(SUserObj *pUser) {
   taosHashCleanup(pUser->topics);
   taosHashCleanup(pUser->readTbs);
   taosHashCleanup(pUser->writeTbs);
+  taosHashCleanup(pUser->useDbs);
   pUser->readDbs = NULL;
   pUser->writeDbs = NULL;
   pUser->topics = NULL;
   pUser->readTbs = NULL;
   pUser->writeTbs = NULL;
+  pUser->useDbs = NULL;
 }
 
 static int32_t mndUserActionDelete(SSdb *pSdb, SUserObj *pUser) {
@@ -477,6 +512,7 @@ static int32_t mndUserActionUpdate(SSdb *pSdb, SUserObj *pOld, SUserObj *pNew) {
   TSWAP(pOld->topics, pNew->topics);
   TSWAP(pOld->readTbs, pNew->readTbs);
   TSWAP(pOld->writeTbs, pNew->writeTbs);
+  TSWAP(pOld->useDbs, pNew->useDbs);
   taosWUnLockLatch(&pOld->lock);
 
   return 0;
@@ -647,38 +683,8 @@ SHashObj *mndDupDbHash(SHashObj *pOld) { return mndDupObjHash(pOld, TSDB_DB_FNAM
 
 SHashObj *mndDupTopicHash(SHashObj *pOld) { return mndDupObjHash(pOld, TSDB_TOPIC_FNAME_LEN); }
 
-static int32_t mndTagPriviledge(SMnode *pMnode, SHashObj *hash, SAlterUserReq *alterReq) {
+static int32_t mndTablePriviledge(SMnode *pMnode, SHashObj *hash, SHashObj *useDbHash, SAlterUserReq *alterReq,
-  char tbFName[TSDB_TABLE_FNAME_LEN] = {0};
+                                  SSdb *pSdb) {
-  snprintf(tbFName, TSDB_TABLE_FNAME_LEN, "%s.%s", alterReq->objname, alterReq->tabName);
-  int32_t len = strlen(tbFName) + 1;
-
-  SStbObj *pStb = mndAcquireStb(pMnode, tbFName);
-  if (pStb == NULL) {
-    mndReleaseStb(pMnode, pStb);
-    return -1;
-  }
-  if (alterReq->tagCond == NULL) {
-    mndReleaseStb(pMnode, pStb);
-    return -1;
-  }
-
-  char *value = taosHashGet(hash, tbFName, len);
-  if (value != NULL) {
-    mndReleaseStb(pMnode, pStb);
-    terrno = TSDB_CODE_MND_PRIVILEDGE_EXIST;
-    return -1;
-  }
-
-  int32_t condLen = alterReq->tagCondLen + 1;
-  if (taosHashPut(hash, tbFName, len, alterReq->tagCond, condLen) != 0) {
-    mndReleaseStb(pMnode, pStb);
-    return -1;
-  }
-  mndReleaseStb(pMnode, pStb);
-  return 0;
-}
-
-static int32_t mndTablePriviledge(SMnode *pMnode, SHashObj *hash, SAlterUserReq *alterReq, SSdb *pSdb) {
   void *pIter = NULL;
   char  tbFName[TSDB_TABLE_FNAME_LEN] = {0};
 
@@ -692,7 +698,7 @@ static int32_t mndTablePriviledge(SMnode *pMnode, SHashObj *hash, SAlterUserReq
       return -1;
     }
 
-    int32_t condLen = alterReq->tagCondLen + 1;
+    int32_t condLen = alterReq->tagCondLen;
     if (taosHashPut(hash, tbFName, len, alterReq->tagCond, condLen) != 0) {
       return -1;
     }
@@ -702,10 +708,21 @@ static int32_t mndTablePriviledge(SMnode *pMnode, SHashObj *hash, SAlterUserReq
     }
   }
 
+  int32_t  dbKeyLen = strlen(alterReq->objname) + 1;
+  int32_t  ref = 1;
+  int32_t *currRef = taosHashGet(useDbHash, alterReq->objname, dbKeyLen);
+  if (NULL != currRef) {
+    ref = (*currRef) + 1;
+  }
+  if (taosHashPut(useDbHash, alterReq->objname, dbKeyLen, &ref, sizeof(ref)) != 0) {
+    return -1;
+  }
+
   return 0;
 }
 
-static int32_t mndRemoveTablePriviledge(SMnode *pMnode, SHashObj *hash, SAlterUserReq *alterReq, SSdb *pSdb) {
+static int32_t mndRemoveTablePriviledge(SMnode *pMnode, SHashObj *hash, SHashObj *useDbHash, SAlterUserReq *alterReq,
+                                        SSdb *pSdb) {
   void *pIter = NULL;
   char  tbFName[TSDB_TABLE_FNAME_LEN] = {0};
   snprintf(tbFName, sizeof(tbFName), "%s.%s", alterReq->objname, alterReq->tabName);
@@ -715,6 +732,19 @@ static int32_t mndRemoveTablePriviledge(SMnode *pMnode, SHashObj *hash, SAlterUs
     return -1;
   }
 
+  int32_t  dbKeyLen = strlen(alterReq->objname) + 1;
+  int32_t *currRef = taosHashGet(useDbHash, alterReq->objname, dbKeyLen);
+  if (NULL == currRef || 1 == *currRef) {
+    if (taosHashRemove(useDbHash, alterReq->objname, dbKeyLen) != 0) {
+      return -1;
+    }
+    return 0;
+  }
+  int32_t ref = (*currRef) - 1;
+  if (taosHashPut(useDbHash, alterReq->objname, dbKeyLen, &ref, sizeof(ref)) != 0) {
+    return -1;
+  }
+
   return 0;
 }
 
@@ -858,21 +888,19 @@ static int32_t mndProcessAlterUserReq(SRpcMsg *pReq) {
   }
 
   if (alterReq.alterType == TSDB_ALTER_USER_ADD_READ_TABLE) {
-    if (mndTablePriviledge(pMnode, newUser.readTbs, &alterReq, pSdb) != 0) goto _OVER;
+    if (mndTablePriviledge(pMnode, newUser.readTbs, newUser.useDbs, &alterReq, pSdb) != 0) goto _OVER;
   }
 
   if (alterReq.alterType == TSDB_ALTER_USER_ADD_WRITE_TABLE) {
-    if (mndTablePriviledge(pMnode, newUser.writeTbs, &alterReq, pSdb) != 0) goto _OVER;
+    if (mndTablePriviledge(pMnode, newUser.writeTbs, newUser.useDbs, &alterReq, pSdb) != 0) goto _OVER;
   }
 
-  if (alterReq.alterType == TSDB_ALTER_USER_REMOVE_READ_TABLE ||
+  if (alterReq.alterType == TSDB_ALTER_USER_REMOVE_READ_TABLE) {
-      alterReq.alterType == TSDB_ALTER_USER_REMOVE_READ_TAG) {
+    if (mndRemoveTablePriviledge(pMnode, newUser.readTbs, newUser.useDbs, &alterReq, pSdb) != 0) goto _OVER;
-    if (mndRemoveTablePriviledge(pMnode, newUser.readTbs, &alterReq, pSdb) != 0) goto _OVER;
   }
 
-  if (alterReq.alterType == TSDB_ALTER_USER_REMOVE_WRITE_TABLE ||
+  if (alterReq.alterType == TSDB_ALTER_USER_REMOVE_WRITE_TABLE) {
-      alterReq.alterType == TSDB_ALTER_USER_REMOVE_WRITE_TAG) {
+    if (mndRemoveTablePriviledge(pMnode, newUser.writeTbs, newUser.useDbs, &alterReq, pSdb) != 0) goto _OVER;
-    if (mndRemoveTablePriviledge(pMnode, newUser.writeTbs, &alterReq, pSdb) != 0) goto _OVER;
   }
 
   if (alterReq.alterType == TSDB_ALTER_USER_ADD_SUBSCRIBE_TOPIC) {
@@ -885,14 +913,6 @@ static int32_t mndProcessAlterUserReq(SRpcMsg *pReq) {
     taosHashPut(newUser.topics, pTopic->name, len, pTopic->name, TSDB_TOPIC_FNAME_LEN);
   }
 
-  if (alterReq.alterType == TSDB_ALTER_USER_ADD_READ_TAG) {
-    if (mndTagPriviledge(pMnode, newUser.readTbs, &alterReq) != 0) goto _OVER;
-  }
-
-  if (alterReq.alterType == TSDB_ALTER_USER_ADD_WRITE_TAG) {
-    if (mndTagPriviledge(pMnode, newUser.writeTbs, &alterReq) != 0) goto _OVER;
-  }
-
   if (alterReq.alterType == TSDB_ALTER_USER_REMOVE_SUBSCRIBE_TOPIC) {
     int32_t      len = strlen(alterReq.objname) + 1;
     SMqTopicObj *pTopic = mndAcquireTopic(pMnode, alterReq.objname);
@@ -1397,8 +1417,6 @@ int32_t mndUserRemoveDb(SMnode *pMnode, STrans *pTrans, char *db) {
     if (inRead || inWrite) {
       (void)taosHashRemove(newUser.readDbs, db, len);
       (void)taosHashRemove(newUser.writeDbs, db, len);
-      (void)taosHashRemove(newUser.readTbs, db, len);
-      (void)taosHashRemove(newUser.writeTbs, db, len);
 
       SSdbRaw *pCommitRaw = mndUserActionEncode(&newUser);
       if (pCommitRaw == NULL || mndTransAppendCommitlog(pTrans, pCommitRaw) != 0) break;

source/libs/catalog/src/ctgCache.c

@@ -238,7 +238,8 @@ _return:
   return TSDB_CODE_SUCCESS;
 }
 
-int32_t ctgAcquireVgMetaFromCache(SCatalog *pCtg, const char *dbFName, const char *tbName, SCtgDBCache **pDb, SCtgTbCache **pTb) {
+int32_t ctgAcquireVgMetaFromCache(SCatalog *pCtg, const char *dbFName, const char *tbName, SCtgDBCache **pDb,
+                                  SCtgTbCache **pTb) {
   SCtgDBCache *dbCache = NULL;
   SCtgTbCache *tbCache = NULL;
   bool         vgInCache = false;
@@ -306,7 +307,6 @@ _return:
   return TSDB_CODE_SUCCESS;
 }
 
-
 /*
 int32_t ctgAcquireStbMetaFromCache(SCatalog *pCtg, char *dbFName, uint64_t suid, SCtgDBCache **pDb, SCtgTbCache **pTb) {
   SCtgDBCache *dbCache = NULL;
@@ -360,7 +360,8 @@ _return:
 }
 */
 
-int32_t ctgAcquireStbMetaFromCache(SCtgDBCache *dbCache, SCatalog *pCtg, char *dbFName, uint64_t suid, SCtgTbCache **pTb) {
+int32_t ctgAcquireStbMetaFromCache(SCtgDBCache *dbCache, SCatalog *pCtg, char *dbFName, uint64_t suid,
+                                   SCtgTbCache **pTb) {
   SCtgTbCache *pCache = NULL;
   char        *stName = taosHashAcquire(dbCache->stbCache, &suid, sizeof(suid));
   if (NULL == stName) {
@@ -459,7 +460,8 @@ int32_t ctgTbMetaExistInCache(SCatalog *pCtg, char *dbFName, char *tbName, int32
   return TSDB_CODE_SUCCESS;
 }
 
-int32_t ctgCopyTbMeta(SCatalog *pCtg, SCtgTbMetaCtx *ctx, SCtgDBCache **pDb, SCtgTbCache **pTb, STableMeta **pTableMeta, char* dbFName) {
+int32_t ctgCopyTbMeta(SCatalog *pCtg, SCtgTbMetaCtx *ctx, SCtgDBCache **pDb, SCtgTbCache **pTb, STableMeta **pTableMeta,
+                      char *dbFName) {
   SCtgDBCache *dbCache = *pDb;
   SCtgTbCache *tbCache = *pTb;
   STableMeta  *tbMeta = tbCache->pMeta;
@@ -528,7 +530,6 @@ int32_t ctgCopyTbMeta(SCatalog *pCtg, SCtgTbMetaCtx *ctx, SCtgDBCache **pDb, SCt
   return TSDB_CODE_SUCCESS;
 }
 
-
 int32_t ctgReadTbMetaFromCache(SCatalog *pCtg, SCtgTbMetaCtx *ctx, STableMeta **pTableMeta) {
   int32_t      code = 0;
   SCtgDBCache *dbCache = NULL;
@@ -1698,7 +1699,6 @@ int32_t ctgVgInfoIdComp(void const* lp, void const* rp) {
   return 0;
 }
 
-
 int32_t ctgOpUpdateVgroup(SCtgCacheOperation *operation) {
   int32_t          code = 0;
   SCtgUpdateVgMsg *msg = operation->data;
@@ -2043,6 +2043,10 @@ int32_t ctgOpUpdateUser(SCtgCacheOperation *operation) {
   pUser->userAuth.writeTbs = msg->userAuth.writeTbs;
   msg->userAuth.writeTbs = NULL;
 
+  taosHashCleanup(pUser->userAuth.useDbs);
+  pUser->userAuth.useDbs = msg->userAuth.useDbs;
+  msg->userAuth.useDbs = NULL;
+
   CTG_UNLOCK(CTG_WRITE, &pUser->lock);
 
 _return:
@@ -2052,6 +2056,7 @@ _return:
   taosHashCleanup(msg->userAuth.writeDbs);
   taosHashCleanup(msg->userAuth.readTbs);
   taosHashCleanup(msg->userAuth.writeTbs);
+  taosHashCleanup(msg->userAuth.useDbs);
 
   taosMemoryFreeClear(msg);
 
@@ -2246,6 +2251,7 @@ void ctgFreeCacheOperationData(SCtgCacheOperation *op) {
       taosHashCleanup(msg->userAuth.writeDbs);
       taosHashCleanup(msg->userAuth.readTbs);
       taosHashCleanup(msg->userAuth.writeTbs);
+      taosHashCleanup(msg->userAuth.useDbs);
       taosMemoryFreeClear(op->data);
       break;
     }

source/libs/catalog/src/ctgUtil.c

@@ -179,6 +179,7 @@ void ctgFreeSCtgUserAuth(SCtgUserAuth* userCache) {
   taosHashCleanup(userCache->userAuth.writeDbs);
   taosHashCleanup(userCache->userAuth.readTbs);
   taosHashCleanup(userCache->userAuth.writeTbs);
+  taosHashCleanup(userCache->userAuth.useDbs);
 }
 
 void ctgFreeMetaRent(SCtgRentMgmt* mgmt) {
@@ -427,6 +428,7 @@ void ctgFreeMsgCtx(SCtgMsgCtx* pCtx) {
       taosHashCleanup(pOut->writeDbs);
       taosHashCleanup(pOut->readTbs);
       taosHashCleanup(pOut->writeTbs);
+      taosHashCleanup(pOut->useDbs);
       taosMemoryFreeClear(pCtx->out);
       break;
     }
@@ -990,7 +992,8 @@ int32_t ctgGetVgInfosFromHashValue(SCatalog* pCtg, SCtgTaskReq* tReq, SDBVgInfo*
   CTG_RET(code);
 }
 
-int32_t ctgGetVgIdsFromHashValue(SCatalog* pCtg, SDBVgInfo* dbInfo, char* dbFName, const char* pTbs[], int32_t tbNum, int32_t* vgId) {
+int32_t ctgGetVgIdsFromHashValue(SCatalog* pCtg, SDBVgInfo* dbInfo, char* dbFName, const char* pTbs[], int32_t tbNum,
+                                 int32_t* vgId) {
   int32_t code = 0;
   CTG_ERR_RET(ctgMakeVgArray(dbInfo));
 
@@ -1026,7 +1029,6 @@ int32_t ctgGetVgIdsFromHashValue(SCatalog* pCtg, SDBVgInfo* dbInfo, char* dbFNam
   CTG_RET(code);
 }
 
-
 int32_t ctgStbVersionSearchCompare(const void* key1, const void* key2) {
   if (*(uint64_t*)key1 < ((SSTableVersion*)key2)->suid) {
     return -1;
@@ -1090,7 +1092,6 @@ int32_t ctgMakeVgArray(SDBVgInfo* dbInfo) {
   return TSDB_CODE_SUCCESS;
 }
 
-
 int32_t ctgCloneVgInfo(SDBVgInfo* src, SDBVgInfo** dst) {
   CTG_ERR_RET(ctgMakeVgArray(src));
 
@@ -1352,38 +1353,40 @@ int32_t ctgChkSetTbAuthRes(SCatalog *pCtg, SCtgAuthReq *req, SCtgAuthRsp* res) {
     return TSDB_CODE_SUCCESS;
   }
 
-  CTG_ERR_RET(catalogGetCachedTableMeta(pCtg, &req->pRawReq->tbName, &pMeta));
-  if (NULL == pMeta) {
-    if (req->onlyCache) {
-      res->metaNotExists = true;
-      ctgDebug("db %s tb %s meta not in cache for auth", req->pRawReq->tbName.dbname, req->pRawReq->tbName.tname);
-      return TSDB_CODE_SUCCESS;
-    }
-
-    CTG_ERR_RET(catalogGetTableMeta(pCtg, req->pConn, &req->pRawReq->tbName, &pMeta));
-  }
-
-  if (TSDB_SUPER_TABLE == pMeta->tableType || TSDB_NORMAL_TABLE == pMeta->tableType) {
   res->pRawRes->pass = false;
-    goto _return;
-  }
 
-  if (TSDB_CHILD_TABLE == pMeta->tableType) {
+  // CTG_ERR_RET(catalogGetCachedTableMeta(pCtg, &req->pRawReq->tbName, &pMeta));
-    res->pRawRes->pass = true;
+  // if (NULL == pMeta) {
+  //   if (req->onlyCache) {
+  //     res->metaNotExists = true;
+  //     ctgDebug("db %s tb %s meta not in cache for auth", req->pRawReq->tbName.dbname, req->pRawReq->tbName.tname);
+  //     return TSDB_CODE_SUCCESS;
+  //   }
 
-/*  
+  //   CTG_ERR_RET(catalogGetTableMeta(pCtg, req->pConn, &req->pRawReq->tbName, &pMeta));
-    char stbName[TSDB_TABLE_NAME_LEN] = {0};
+  // }
-    CTG_ERR_JRET(ctgGetCachedStbNameFromSuid(pCtg, pMeta->suid, stbName));
-    if (0 == stbName[0]) {
-      if (req->onlyCache) {
-        res->notExists = true;
-        return TSDB_CODE_SUCCESS;
-      }
 
-      CTG_ERR_RET(catalogRefreshTableMeta(pCtg, req->pConn, &req->pRawReq->tbName, 0));
+  // if (TSDB_SUPER_TABLE == pMeta->tableType || TSDB_NORMAL_TABLE == pMeta->tableType) {
-    }
+  //   res->pRawRes->pass = false;
-*/    
+  //   goto _return;
-  }
+  // }
+
+  // if (TSDB_CHILD_TABLE == pMeta->tableType) {
+  //   res->pRawRes->pass = true;
+
+  //   /*
+  //       char stbName[TSDB_TABLE_NAME_LEN] = {0};
+  //       CTG_ERR_JRET(ctgGetCachedStbNameFromSuid(pCtg, pMeta->suid, stbName));
+  //       if (0 == stbName[0]) {
+  //         if (req->onlyCache) {
+  //           res->notExists = true;
+  //           return TSDB_CODE_SUCCESS;
+  //         }
+
+  //         CTG_ERR_RET(catalogRefreshTableMeta(pCtg, req->pConn, &req->pRawReq->tbName, 0));
+  //       }
+  //   */
+  // }
 
 _return:
 
@@ -1421,26 +1424,34 @@ int32_t ctgChkSetAuthRes(SCatalog *pCtg, SCtgAuthReq *req, SCtgAuthRsp* res) {
 
   switch (pReq->type) {
     case AUTH_TYPE_READ: {
+      if (pInfo->readTbs && taosHashGetSize(pInfo->readTbs) > 0) {
+        req->singleType = AUTH_TYPE_READ;
+        CTG_ERR_RET(ctgChkSetTbAuthRes(pCtg, req, res));
+        if (pRes->pass) {
+          return TSDB_CODE_SUCCESS;
+        }
+      }
+
       if (pInfo->readDbs && taosHashGet(pInfo->readDbs, dbFName, strlen(dbFName))) {
         pRes->pass = true;
         return TSDB_CODE_SUCCESS;
       }
-      if (pInfo->readTbs && taosHashGetSize(pInfo->readTbs) > 0) {
-        req->singleType = AUTH_TYPE_READ;
-        CTG_RET(ctgChkSetTbAuthRes(pCtg, req, res));
-      }
 
       break;
     }
     case AUTH_TYPE_WRITE: {
+      if (pInfo->writeTbs && taosHashGetSize(pInfo->writeTbs) > 0) {
+        req->singleType = AUTH_TYPE_WRITE;
+        CTG_ERR_RET(ctgChkSetTbAuthRes(pCtg, req, res));
+        if (pRes->pass) {
+          return TSDB_CODE_SUCCESS;
+        }
+      }
+
       if (pInfo->writeDbs && taosHashGet(pInfo->writeDbs, dbFName, strlen(dbFName))) {
         pRes->pass = true;
         return TSDB_CODE_SUCCESS;
       }
-      if (pInfo->writeTbs && taosHashGetSize(pInfo->writeTbs) > 0) {
-        req->singleType = AUTH_TYPE_WRITE;
-        CTG_RET(ctgChkSetTbAuthRes(pCtg, req, res));
-      }
 
       break;
     }
@@ -1460,7 +1471,6 @@ int32_t ctgChkSetAuthRes(SCatalog *pCtg, SCtgAuthReq *req, SCtgAuthRsp* res) {
   return TSDB_CODE_SUCCESS;
 }
 
-
 #if 0
 static int32_t ctgCloneMetaDataArray(SArray* pSrc, __array_item_dup_fn_t copyFunc, SArray** pDst) {
   if (NULL == pSrc) {
@@ -1554,4 +1564,3 @@ void catalogFreeMetaData(SMetaData* pData) {
   taosMemoryFree(pData);
 }
 #endif
-

source/libs/parser/src/parAstParser.c

@@ -287,6 +287,10 @@ static int32_t collectMetaKeyFromDropTable(SCollectMetaKeyCxt* pCxt, SDropTableS
     if (TSDB_CODE_SUCCESS == code) {
       code = reserveTableVgroupInCache(pCxt->pParseCxt->acctId, pClause->dbName, pClause->tableName, pCxt->pMetaCache);
     }
+    if (TSDB_CODE_SUCCESS == code) {
+      code = reserveUserAuthInCache(pCxt->pParseCxt->acctId, pCxt->pParseCxt->pUser, pClause->dbName,
+                                    pClause->tableName, AUTH_TYPE_WRITE, pCxt->pMetaCache);
+    }
     if (TSDB_CODE_SUCCESS != code) {
       break;
     }
@@ -294,6 +298,11 @@ static int32_t collectMetaKeyFromDropTable(SCollectMetaKeyCxt* pCxt, SDropTableS
   return code;
 }
 
+static int32_t collectMetaKeyFromDropStable(SCollectMetaKeyCxt* pCxt, SDropSuperTableStmt* pStmt) {
+  return reserveUserAuthInCache(pCxt->pParseCxt->acctId, pCxt->pParseCxt->pUser, pStmt->dbName, pStmt->tableName,
+                                AUTH_TYPE_WRITE, pCxt->pMetaCache);
+}
+
 static int32_t collectMetaKeyFromAlterTable(SCollectMetaKeyCxt* pCxt, SAlterTableStmt* pStmt) {
   int32_t code = reserveDbCfgInCache(pCxt->pParseCxt->acctId, pStmt->dbName, pCxt->pMetaCache);
   if (TSDB_CODE_SUCCESS == code) {
@@ -302,6 +311,10 @@ static int32_t collectMetaKeyFromAlterTable(SCollectMetaKeyCxt* pCxt, SAlterTabl
   if (TSDB_CODE_SUCCESS == code) {
     code = reserveTableVgroupInCache(pCxt->pParseCxt->acctId, pStmt->dbName, pStmt->tableName, pCxt->pMetaCache);
   }
+  if (TSDB_CODE_SUCCESS == code) {
+    code = reserveUserAuthInCache(pCxt->pParseCxt->acctId, pCxt->pParseCxt->pUser, pStmt->dbName, pStmt->tableName,
+                                  AUTH_TYPE_WRITE, pCxt->pMetaCache);
+  }
   return code;
 }
 
@@ -310,6 +323,10 @@ static int32_t collectMetaKeyFromAlterStable(SCollectMetaKeyCxt* pCxt, SAlterTab
   if (TSDB_CODE_SUCCESS == code) {
     code = reserveTableMetaInCache(pCxt->pParseCxt->acctId, pStmt->dbName, pStmt->tableName, pCxt->pMetaCache);
   }
+  if (TSDB_CODE_SUCCESS == code) {
+    code = reserveUserAuthInCache(pCxt->pParseCxt->acctId, pCxt->pParseCxt->pUser, pStmt->dbName, pStmt->tableName,
+                                  AUTH_TYPE_WRITE, pCxt->pMetaCache);
+  }
   return code;
 }
 
@@ -638,6 +655,8 @@ static int32_t collectMetaKeyFromQuery(SCollectMetaKeyCxt* pCxt, SNode* pStmt) {
       return collectMetaKeyFromCreateMultiTable(pCxt, (SCreateMultiTablesStmt*)pStmt);
     case QUERY_NODE_DROP_TABLE_STMT:
       return collectMetaKeyFromDropTable(pCxt, (SDropTableStmt*)pStmt);
+    case QUERY_NODE_DROP_SUPER_TABLE_STMT:
+      return collectMetaKeyFromDropStable(pCxt, (SDropSuperTableStmt*)pStmt);
     case QUERY_NODE_ALTER_TABLE_STMT:
       return collectMetaKeyFromAlterTable(pCxt, (SAlterTableStmt*)pStmt);
     case QUERY_NODE_ALTER_SUPER_TABLE_STMT:

source/libs/parser/src/parAuthenticator.c

@@ -197,6 +197,29 @@ static int32_t authCreateMultiTable(SAuthCxt* pCxt, SCreateMultiTablesStmt* pStm
   return code;
 }
 
+static int32_t authDropTable(SAuthCxt* pCxt, SDropTableStmt* pStmt) {
+  int32_t code = TSDB_CODE_SUCCESS;
+  SNode*  pNode = NULL;
+  FOREACH(pNode, pStmt->pTables) {
+    SDropTableClause* pClause = (SDropTableClause*)pNode;
+    code = checkAuth(pCxt, pClause->dbName, pClause->tableName, AUTH_TYPE_WRITE, NULL);
+    if (TSDB_CODE_SUCCESS != code) {
+      break;
+    }
+  }
+  return code;
+}
+
+static int32_t authDropStable(SAuthCxt* pCxt, SDropSuperTableStmt* pStmt) {
+  return checkAuth(pCxt, pStmt->dbName, pStmt->tableName, AUTH_TYPE_WRITE, NULL);
+}
+
+static int32_t authAlterTable(SAuthCxt* pCxt, SAlterTableStmt* pStmt) {
+  SNode* pTagCond = NULL;
+  // todo check tag condition for subtable
+  return checkAuth(pCxt, pStmt->dbName, pStmt->tableName, AUTH_TYPE_WRITE, NULL);
+}
+
 static int32_t authQuery(SAuthCxt* pCxt, SNode* pStmt) {
   switch (nodeType(pStmt)) {
     case QUERY_NODE_SET_OPERATOR:
@@ -213,6 +236,13 @@ static int32_t authQuery(SAuthCxt* pCxt, SNode* pStmt) {
       return authCreateTable(pCxt, (SCreateTableStmt*)pStmt);
     case QUERY_NODE_CREATE_MULTI_TABLES_STMT:
       return authCreateMultiTable(pCxt, (SCreateMultiTablesStmt*)pStmt);
+    case QUERY_NODE_DROP_TABLE_STMT:
+      return authDropTable(pCxt, (SDropTableStmt*)pStmt);
+    case QUERY_NODE_DROP_SUPER_TABLE_STMT:
+      return authDropStable(pCxt, (SDropSuperTableStmt*)pStmt);
+    case QUERY_NODE_ALTER_TABLE_STMT:
+    case QUERY_NODE_ALTER_SUPER_TABLE_STMT:
+      return authAlterTable(pCxt, (SAlterTableStmt*)pStmt);
     case QUERY_NODE_SHOW_DNODES_STMT:
     case QUERY_NODE_SHOW_MNODES_STMT:
     case QUERY_NODE_SHOW_MODULES_STMT: