From 7000d597fc4fb4e802bb22a5408099772e0c3a19 Mon Sep 17 00:00:00 2001 From: Yihao Deng Date: Thu, 20 Jun 2024 03:23:27 +0000 Subject: [PATCH] Fix the issue of dynamically adjusting the IP whitelist. --- source/client/src/clientHb.c | 56 ++++--- source/dnode/mnode/impl/inc/mndUser.h | 1 + source/dnode/mnode/impl/src/mndPrivilege.c | 22 +-- source/dnode/mnode/impl/src/mndProfile.c | 2 +- source/dnode/mnode/impl/src/mndUser.c | 181 ++++++++++++--------- 5 files changed, 135 insertions(+), 127 deletions(-) diff --git a/source/client/src/clientHb.c b/source/client/src/clientHb.c index 1b6cb8fd22..a060dab24c 100644 --- a/source/client/src/clientHb.c +++ b/source/client/src/clientHb.c @@ -133,14 +133,15 @@ static int32_t hbUpdateUserAuthInfo(SAppHbMgr *pAppHbMgr, SUserAuthBatchRsp *bat if (pTscObj->whiteListInfo.fp) { SWhiteListInfo *whiteListInfo = &pTscObj->whiteListInfo; - int64_t oldVer = atomic_load_64(&whiteListInfo->ver); - if (oldVer < pRsp->whiteListVer) { + int64_t oldVer = atomic_load_64(&whiteListInfo->ver); + + if (oldVer < pRsp->whiteListVer || pRsp->whiteListVer == 0) { atomic_store_64(&whiteListInfo->ver, pRsp->whiteListVer); if (whiteListInfo->fp) { (*whiteListInfo->fp)(whiteListInfo->param, &pRsp->whiteListVer, TAOS_NOTIFY_WHITELIST_VER); } - tscDebug("update whitelist version of user %s from %"PRId64" to %"PRId64", tscRid:%" PRIi64, pRsp->user, oldVer, - atomic_load_64(&whiteListInfo->ver), pTscObj->id); + tscDebug("update whitelist version of user %s from %" PRId64 " to %" PRId64 ", tscRid:%" PRIi64, pRsp->user, + oldVer, atomic_load_64(&whiteListInfo->ver), pTscObj->id); } } releaseTscObj(pReq->connKey.tscRid); @@ -202,8 +203,8 @@ static int32_t hbProcessDBInfoRsp(void *value, int32_t valueLen, struct SCatalog for (int32_t i = 0; i < numOfBatchs; ++i) { SDbHbRsp *rsp = taosArrayGet(batchRsp.pArray, i); if (rsp->useDbRsp) { - tscDebug("hb use db rsp, db:%s, vgVersion:%d, stateTs:%" PRId64 ", uid:%" PRIx64, - rsp->useDbRsp->db, rsp->useDbRsp->vgVersion, rsp->useDbRsp->stateTs, rsp->useDbRsp->uid); + tscDebug("hb use db rsp, db:%s, vgVersion:%d, stateTs:%" PRId64 ", uid:%" PRIx64, rsp->useDbRsp->db, + rsp->useDbRsp->vgVersion, rsp->useDbRsp->stateTs, rsp->useDbRsp->uid); if (rsp->useDbRsp->vgVersion < 0) { tscDebug("hb to remove db, db:%s", rsp->useDbRsp->db); @@ -225,7 +226,9 @@ static int32_t hbProcessDBInfoRsp(void *value, int32_t valueLen, struct SCatalog goto _return; } - catalogUpdateDBVgInfo(pCatalog, (rsp->useDbRsp->db[0] == 'i') ? TSDB_PERFORMANCE_SCHEMA_DB : TSDB_INFORMATION_SCHEMA_DB, rsp->useDbRsp->uid, vgInfo); + catalogUpdateDBVgInfo(pCatalog, + (rsp->useDbRsp->db[0] == 'i') ? TSDB_PERFORMANCE_SCHEMA_DB : TSDB_INFORMATION_SCHEMA_DB, + rsp->useDbRsp->uid, vgInfo); } } } @@ -238,7 +241,7 @@ static int32_t hbProcessDBInfoRsp(void *value, int32_t valueLen, struct SCatalog if (rsp->pTsmaRsp) { if (rsp->pTsmaRsp->pTsmas) { for (int32_t i = 0; i < rsp->pTsmaRsp->pTsmas->size; ++i) { - STableTSMAInfo* pTsma = taosArrayGetP(rsp->pTsmaRsp->pTsmas, i); + STableTSMAInfo *pTsma = taosArrayGetP(rsp->pTsmaRsp->pTsmas, i); catalogAsyncUpdateTSMA(pCatalog, &pTsma, rsp->dbTsmaVersion); } taosArrayClear(rsp->pTsmaRsp->pTsmas); @@ -294,16 +297,15 @@ static int32_t hbProcessStbInfoRsp(void *value, int32_t valueLen, struct SCatalo return TSDB_CODE_SUCCESS; } - static int32_t hbProcessDynViewRsp(void *value, int32_t valueLen, struct SCatalog *pCatalog) { - return catalogUpdateDynViewVer(pCatalog, (SDynViewVersion*)value); + return catalogUpdateDynViewVer(pCatalog, (SDynViewVersion *)value); } -static void hbFreeSViewMetaInRsp(void* p) { - if (NULL == p || NULL == *(void**)p) { +static void hbFreeSViewMetaInRsp(void *p) { + if (NULL == p || NULL == *(void **)p) { return; } - SViewMetaRsp *pRsp = *(SViewMetaRsp**)p; + SViewMetaRsp *pRsp = *(SViewMetaRsp **)p; tFreeSViewMetaRsp(pRsp); taosMemoryFreeClear(pRsp); } @@ -337,7 +339,7 @@ static int32_t hbProcessViewInfoRsp(void *value, int32_t valueLen, struct SCatal return TSDB_CODE_SUCCESS; } -static int32_t hbprocessTSMARsp(void* value, int32_t valueLen, struct SCatalog* pCatalog) { +static int32_t hbprocessTSMARsp(void *value, int32_t valueLen, struct SCatalog *pCatalog) { int32_t code = 0; STSMAHbRsp hbRsp = {0}; @@ -348,7 +350,7 @@ static int32_t hbprocessTSMARsp(void* value, int32_t valueLen, struct SCatalog* int32_t numOfTsma = taosArrayGetSize(hbRsp.pTsmas); for (int32_t i = 0; i < numOfTsma; ++i) { - STableTSMAInfo* pTsmaInfo = taosArrayGetP(hbRsp.pTsmas, i); + STableTSMAInfo *pTsmaInfo = taosArrayGetP(hbRsp.pTsmas, i); if (!pTsmaInfo->pFuncs) { tscDebug("hb to remove tsma: %s.%s", pTsmaInfo->dbFName, pTsmaInfo->name); @@ -365,7 +367,7 @@ static int32_t hbprocessTSMARsp(void* value, int32_t valueLen, struct SCatalog* return TSDB_CODE_SUCCESS; } -static void hbProcessQueryRspKvs(int32_t kvNum, SArray* pKvs, struct SCatalog *pCatalog, SAppHbMgr *pAppHbMgr) { +static void hbProcessQueryRspKvs(int32_t kvNum, SArray *pKvs, struct SCatalog *pCatalog, SAppHbMgr *pAppHbMgr) { for (int32_t i = 0; i < kvNum; ++i) { SKv *kv = taosArrayGet(pKvs, i); switch (kv->key) { @@ -489,14 +491,14 @@ static int32_t hbQueryHbRspHandle(SAppHbMgr *pAppHbMgr, SClientHbRsp *pRsp) { if (kvNum > 0) { struct SCatalog *pCatalog = NULL; - int32_t code = catalogGetHandle(pReq->clusterId, &pCatalog); + int32_t code = catalogGetHandle(pReq->clusterId, &pCatalog); if (code != TSDB_CODE_SUCCESS) { tscWarn("catalogGetHandle failed, clusterId:%" PRIx64 ", error:%s", pReq->clusterId, tstrerror(code)); } else { hbProcessQueryRspKvs(kvNum, pRsp->info, pCatalog, pAppHbMgr); } } - + taosHashRelease(pAppHbMgr->activeInfo, pReq); return TSDB_CODE_SUCCESS; @@ -799,8 +801,9 @@ int32_t hbGetExpiredDBInfo(SClientHbKey *connKey, struct SCatalog *pCatalog, SCl for (int32_t i = 0; i < dbNum; ++i) { SDbCacheInfo *db = &dbs[i]; - tscDebug("the %dth expired dbFName:%s, dbId:%" PRId64 ", vgVersion:%d, cfgVersion:%d, numOfTable:%d, startTs:%" PRId64, - i, db->dbFName, db->dbId, db->vgVersion, db->cfgVersion, db->numOfTable, db->stateTs); + tscDebug("the %dth expired dbFName:%s, dbId:%" PRId64 + ", vgVersion:%d, cfgVersion:%d, numOfTable:%d, startTs:%" PRId64, + i, db->dbFName, db->dbId, db->vgVersion, db->cfgVersion, db->numOfTable, db->stateTs); db->dbId = htobe64(db->dbId); db->vgVersion = htonl(db->vgVersion); @@ -916,7 +919,7 @@ int32_t hbGetExpiredViewInfo(SClientHbKey *connKey, struct SCatalog *pCatalog, S return TSDB_CODE_SUCCESS; } -int32_t hbGetExpiredTSMAInfo(SClientHbKey* connKey, struct SCatalog* pCatalog, SClientHbReq* pReq) { +int32_t hbGetExpiredTSMAInfo(SClientHbKey *connKey, struct SCatalog *pCatalog, SClientHbReq *pReq) { int32_t code = 0; uint32_t tsmaNum = 0; STSMAVersion *tsmas = NULL; @@ -933,7 +936,7 @@ int32_t hbGetExpiredTSMAInfo(SClientHbKey* connKey, struct SCatalog* pCatalog, S } for (int32_t i = 0; i < tsmaNum; ++i) { - STSMAVersion* tsma = &tsmas[i]; + STSMAVersion *tsma = &tsmas[i]; tsma->dbId = htobe64(tsma->dbId); tsma->tsmaId = htobe64(tsma->tsmaId); tsma->version = htonl(tsma->version); @@ -1012,7 +1015,7 @@ int32_t hbQueryHbReqHandle(SClientHbKey *connKey, void *param, SClientHbReq *req if (TSDB_CODE_SUCCESS != code) { return code; } -#endif +#endif code = hbGetExpiredTSMAInfo(connKey, pCatalog, req); } else { req->app.appId = 0; @@ -1151,7 +1154,8 @@ static void *hbThreadFunc(void *param) { if (sz > 0) { hbGatherAppInfo(); if (sz > 1 && !clientHbMgr.appHbHash) { - clientHbMgr.appHbHash = taosHashInit(0, taosGetDefaultHashFunction(TSDB_DATA_TYPE_UBIGINT), false, HASH_NO_LOCK); + clientHbMgr.appHbHash = + taosHashInit(0, taosGetDefaultHashFunction(TSDB_DATA_TYPE_UBIGINT), false, HASH_NO_LOCK); } taosHashClear(clientHbMgr.appHbHash); } @@ -1433,6 +1437,4 @@ void hbDeregisterConn(STscObj *pTscObj, SClientHbKey connKey) { } // set heart beat thread quit mode , if quicByKill 1 then kill thread else quit from inner -void taos_set_hb_quit(int8_t quitByKill) { - clientHbMgr.quitByKill = quitByKill; -} +void taos_set_hb_quit(int8_t quitByKill) { clientHbMgr.quitByKill = quitByKill; } diff --git a/source/dnode/mnode/impl/inc/mndUser.h b/source/dnode/mnode/impl/inc/mndUser.h index 907ec86623..5782890f73 100644 --- a/source/dnode/mnode/impl/inc/mndUser.h +++ b/source/dnode/mnode/impl/inc/mndUser.h @@ -53,6 +53,7 @@ void mndUpdateIpWhiteForAllUser(SMnode *pMnode, char *user, char *fqdn, int8_t t int32_t mndRefreshUserIpWhiteList(SMnode *pMnode); +int64_t mndGetUserIpWhiteListVer(SMnode *pMnode, SUserObj *pUser); #ifdef __cplusplus } #endif diff --git a/source/dnode/mnode/impl/src/mndPrivilege.c b/source/dnode/mnode/impl/src/mndPrivilege.c index 13a80cb1a6..fd7f9e5fb3 100644 --- a/source/dnode/mnode/impl/src/mndPrivilege.c +++ b/source/dnode/mnode/impl/src/mndPrivilege.c @@ -31,7 +31,6 @@ int32_t mndCheckDbPrivilegeByName(SMnode *pMnode, const char *user, EOperType op int32_t mndCheckTopicPrivilege(SMnode *pMnode, const char *user, EOperType operType, SMqTopicObj *pTopic) { return 0; } - int32_t mndSetUserWhiteListRsp(SMnode *pMnode, SUserObj *pUser, SGetUserWhiteListRsp *pWhiteListRsp) { memcpy(pWhiteListRsp->user, pUser->user, TSDB_USER_LEN); pWhiteListRsp->numWhiteLists = 1; @@ -41,25 +40,6 @@ int32_t mndSetUserWhiteListRsp(SMnode *pMnode, SUserObj *pUser, SGetUserWhiteLis } memset(pWhiteListRsp->pWhiteLists, 0, pWhiteListRsp->numWhiteLists * sizeof(SIpV4Range)); -// if (tsEnableWhiteList) { -// memcpy(pWhiteListRsp->user, pUser->user, TSDB_USER_LEN); -// pWhiteListRsp->numWhiteLists = pUser->pIpWhiteList->num; -// pWhiteListRsp->pWhiteLists = taosMemoryMalloc(pWhiteListRsp->numWhiteLists * sizeof(SIpV4Range)); -// if (pWhiteListRsp->pWhiteLists == NULL) { -// return TSDB_CODE_OUT_OF_MEMORY; -// } -// memcpy(pWhiteListRsp->pWhiteLists, pUser->pIpWhiteList->pIpRange, -// pWhiteListRsp->numWhiteLists * sizeof(SIpV4Range)); -// } else { -// memcpy(pWhiteListRsp->user, pUser->user, TSDB_USER_LEN); -// pWhiteListRsp->numWhiteLists = 1; -// pWhiteListRsp->pWhiteLists = taosMemoryMalloc(pWhiteListRsp->numWhiteLists * sizeof(SIpV4Range)); -// if (pWhiteListRsp->pWhiteLists == NULL) { -// return TSDB_CODE_OUT_OF_MEMORY; -// } -// memset(pWhiteListRsp->pWhiteLists, 0, pWhiteListRsp->numWhiteLists * sizeof(SIpV4Range)); -// } - return 0; } @@ -70,7 +50,7 @@ int32_t mndSetUserAuthRsp(SMnode *pMnode, SUserObj *pUser, SGetUserAuthRsp *pRsp pRsp->sysInfo = pUser->sysInfo; pRsp->version = pUser->authVersion; pRsp->passVer = pUser->passVersion; - pRsp->whiteListVer = pUser->ipWhiteListVer; + pRsp->whiteListVer = mndGetUserIpWhiteListVer(pMnode, pUser); return 0; } diff --git a/source/dnode/mnode/impl/src/mndProfile.c b/source/dnode/mnode/impl/src/mndProfile.c index fafdb539fb..fcd4403aa4 100644 --- a/source/dnode/mnode/impl/src/mndProfile.c +++ b/source/dnode/mnode/impl/src/mndProfile.c @@ -300,7 +300,7 @@ _CONNECT: connectRsp.svrTimestamp = taosGetTimestampSec(); connectRsp.passVer = pUser->passVersion; connectRsp.authVer = pUser->authVersion; - connectRsp.whiteListVer = pUser->ipWhiteListVer; + connectRsp.whiteListVer = mndGetUserIpWhiteListVer(pMnode, pUser); strcpy(connectRsp.sVer, version); snprintf(connectRsp.sDetailVer, sizeof(connectRsp.sDetailVer), "ver:%s\nbuild:%s\ngitinfo:%s", version, buildinfo, diff --git a/source/dnode/mnode/impl/src/mndUser.c b/source/dnode/mnode/impl/src/mndUser.c index 7cde8c5508..cbb72ee1f4 100644 --- a/source/dnode/mnode/impl/src/mndUser.c +++ b/source/dnode/mnode/impl/src/mndUser.c @@ -45,35 +45,55 @@ #define ALTER_USER_DEL_PRIVS(_type) ((_type) == TSDB_ALTER_USER_DEL_PRIVILEGES) #define ALTER_USER_ALL_PRIV(_priv) (BIT_FLAG_TEST_MASK((_priv), PRIVILEGE_TYPE_ALL)) -#define ALTER_USER_READ_PRIV(_priv) (BIT_FLAG_TEST_MASK((_priv), PRIVILEGE_TYPE_READ) || BIT_FLAG_TEST_MASK((_priv), PRIVILEGE_TYPE_ALL)) -#define ALTER_USER_WRITE_PRIV(_priv) (BIT_FLAG_TEST_MASK((_priv), PRIVILEGE_TYPE_WRITE) || BIT_FLAG_TEST_MASK((_priv), PRIVILEGE_TYPE_ALL)) -#define ALTER_USER_ALTER_PRIV(_priv) (BIT_FLAG_TEST_MASK((_priv), PRIVILEGE_TYPE_ALTER) || BIT_FLAG_TEST_MASK((_priv), PRIVILEGE_TYPE_ALL)) +#define ALTER_USER_READ_PRIV(_priv) \ + (BIT_FLAG_TEST_MASK((_priv), PRIVILEGE_TYPE_READ) || BIT_FLAG_TEST_MASK((_priv), PRIVILEGE_TYPE_ALL)) +#define ALTER_USER_WRITE_PRIV(_priv) \ + (BIT_FLAG_TEST_MASK((_priv), PRIVILEGE_TYPE_WRITE) || BIT_FLAG_TEST_MASK((_priv), PRIVILEGE_TYPE_ALL)) +#define ALTER_USER_ALTER_PRIV(_priv) \ + (BIT_FLAG_TEST_MASK((_priv), PRIVILEGE_TYPE_ALTER) || BIT_FLAG_TEST_MASK((_priv), PRIVILEGE_TYPE_ALL)) #define ALTER_USER_SUBSCRIBE_PRIV(_priv) (BIT_FLAG_TEST_MASK((_priv), PRIVILEGE_TYPE_SUBSCRIBE)) #define ALTER_USER_TARGET_DB(_tbname) (0 == (_tbname)[0]) #define ALTER_USER_TARGET_TB(_tbname) (0 != (_tbname)[0]) -#define ALTER_USER_ADD_READ_DB_PRIV(_type, _priv, _tbname) (ALTER_USER_ADD_PRIVS(_type) && ALTER_USER_READ_PRIV(_priv) && ALTER_USER_TARGET_DB(_tbname)) -#define ALTER_USER_DEL_READ_DB_PRIV(_type, _priv, _tbname) (ALTER_USER_DEL_PRIVS(_type) && ALTER_USER_READ_PRIV(_priv) && ALTER_USER_TARGET_DB(_tbname)) -#define ALTER_USER_ADD_WRITE_DB_PRIV(_type, _priv, _tbname) (ALTER_USER_ADD_PRIVS(_type) && ALTER_USER_WRITE_PRIV(_priv) && ALTER_USER_TARGET_DB(_tbname)) -#define ALTER_USER_DEL_WRITE_DB_PRIV(_type, _priv, _tbname) (ALTER_USER_DEL_PRIVS(_type) && ALTER_USER_WRITE_PRIV(_priv) && ALTER_USER_TARGET_DB(_tbname)) -#define ALTER_USER_ADD_ALTER_DB_PRIV(_type, _priv, _tbname) (ALTER_USER_ADD_PRIVS(_type) && ALTER_USER_ALTER_PRIV(_priv) && ALTER_USER_TARGET_DB(_tbname)) -#define ALTER_USER_DEL_ALTER_DB_PRIV(_type, _priv, _tbname) (ALTER_USER_DEL_PRIVS(_type) && ALTER_USER_ALTER_PRIV(_priv) && ALTER_USER_TARGET_DB(_tbname)) -#define ALTER_USER_ADD_ALL_DB_PRIV(_type, _priv, _tbname) (ALTER_USER_ADD_PRIVS(_type) && ALTER_USER_ALL_PRIV(_priv) && ALTER_USER_TARGET_DB(_tbname)) -#define ALTER_USER_DEL_ALL_DB_PRIV(_type, _priv, _tbname) (ALTER_USER_DEL_PRIVS(_type) && ALTER_USER_ALL_PRIV(_priv) && ALTER_USER_TARGET_DB(_tbname)) +#define ALTER_USER_ADD_READ_DB_PRIV(_type, _priv, _tbname) \ + (ALTER_USER_ADD_PRIVS(_type) && ALTER_USER_READ_PRIV(_priv) && ALTER_USER_TARGET_DB(_tbname)) +#define ALTER_USER_DEL_READ_DB_PRIV(_type, _priv, _tbname) \ + (ALTER_USER_DEL_PRIVS(_type) && ALTER_USER_READ_PRIV(_priv) && ALTER_USER_TARGET_DB(_tbname)) +#define ALTER_USER_ADD_WRITE_DB_PRIV(_type, _priv, _tbname) \ + (ALTER_USER_ADD_PRIVS(_type) && ALTER_USER_WRITE_PRIV(_priv) && ALTER_USER_TARGET_DB(_tbname)) +#define ALTER_USER_DEL_WRITE_DB_PRIV(_type, _priv, _tbname) \ + (ALTER_USER_DEL_PRIVS(_type) && ALTER_USER_WRITE_PRIV(_priv) && ALTER_USER_TARGET_DB(_tbname)) +#define ALTER_USER_ADD_ALTER_DB_PRIV(_type, _priv, _tbname) \ + (ALTER_USER_ADD_PRIVS(_type) && ALTER_USER_ALTER_PRIV(_priv) && ALTER_USER_TARGET_DB(_tbname)) +#define ALTER_USER_DEL_ALTER_DB_PRIV(_type, _priv, _tbname) \ + (ALTER_USER_DEL_PRIVS(_type) && ALTER_USER_ALTER_PRIV(_priv) && ALTER_USER_TARGET_DB(_tbname)) +#define ALTER_USER_ADD_ALL_DB_PRIV(_type, _priv, _tbname) \ + (ALTER_USER_ADD_PRIVS(_type) && ALTER_USER_ALL_PRIV(_priv) && ALTER_USER_TARGET_DB(_tbname)) +#define ALTER_USER_DEL_ALL_DB_PRIV(_type, _priv, _tbname) \ + (ALTER_USER_DEL_PRIVS(_type) && ALTER_USER_ALL_PRIV(_priv) && ALTER_USER_TARGET_DB(_tbname)) -#define ALTER_USER_ADD_READ_TB_PRIV(_type, _priv, _tbname) (ALTER_USER_ADD_PRIVS(_type) && ALTER_USER_READ_PRIV(_priv) && ALTER_USER_TARGET_TB(_tbname)) -#define ALTER_USER_DEL_READ_TB_PRIV(_type, _priv, _tbname) (ALTER_USER_DEL_PRIVS(_type) && ALTER_USER_READ_PRIV(_priv) && ALTER_USER_TARGET_TB(_tbname)) -#define ALTER_USER_ADD_WRITE_TB_PRIV(_type, _priv, _tbname) (ALTER_USER_ADD_PRIVS(_type) && ALTER_USER_WRITE_PRIV(_priv) && ALTER_USER_TARGET_TB(_tbname)) -#define ALTER_USER_DEL_WRITE_TB_PRIV(_type, _priv, _tbname) (ALTER_USER_DEL_PRIVS(_type) && ALTER_USER_WRITE_PRIV(_priv) && ALTER_USER_TARGET_TB(_tbname)) -#define ALTER_USER_ADD_ALTER_TB_PRIV(_type, _priv, _tbname) (ALTER_USER_ADD_PRIVS(_type) && ALTER_USER_ALTER_PRIV(_priv) && ALTER_USER_TARGET_TB(_tbname)) -#define ALTER_USER_DEL_ALTER_TB_PRIV(_type, _priv, _tbname) (ALTER_USER_DEL_PRIVS(_type) && ALTER_USER_ALTER_PRIV(_priv) && ALTER_USER_TARGET_TB(_tbname)) -#define ALTER_USER_ADD_ALL_TB_PRIV(_type, _priv, _tbname) (ALTER_USER_ADD_PRIVS(_type) && ALTER_USER_ALL_PRIV(_priv) && ALTER_USER_TARGET_TB(_tbname)) -#define ALTER_USER_DEL_ALL_TB_PRIV(_type, _priv, _tbname) (ALTER_USER_DEL_PRIVS(_type) && ALTER_USER_ALL_PRIV(_priv) && ALTER_USER_TARGET_TB(_tbname)) - -#define ALTER_USER_ADD_SUBSCRIBE_TOPIC_PRIV(_type, _priv) (ALTER_USER_ADD_PRIVS(_type) && ALTER_USER_SUBSCRIBE_PRIV(_priv)) -#define ALTER_USER_DEL_SUBSCRIBE_TOPIC_PRIV(_type, _priv) (ALTER_USER_DEL_PRIVS(_type) && ALTER_USER_SUBSCRIBE_PRIV(_priv)) +#define ALTER_USER_ADD_READ_TB_PRIV(_type, _priv, _tbname) \ + (ALTER_USER_ADD_PRIVS(_type) && ALTER_USER_READ_PRIV(_priv) && ALTER_USER_TARGET_TB(_tbname)) +#define ALTER_USER_DEL_READ_TB_PRIV(_type, _priv, _tbname) \ + (ALTER_USER_DEL_PRIVS(_type) && ALTER_USER_READ_PRIV(_priv) && ALTER_USER_TARGET_TB(_tbname)) +#define ALTER_USER_ADD_WRITE_TB_PRIV(_type, _priv, _tbname) \ + (ALTER_USER_ADD_PRIVS(_type) && ALTER_USER_WRITE_PRIV(_priv) && ALTER_USER_TARGET_TB(_tbname)) +#define ALTER_USER_DEL_WRITE_TB_PRIV(_type, _priv, _tbname) \ + (ALTER_USER_DEL_PRIVS(_type) && ALTER_USER_WRITE_PRIV(_priv) && ALTER_USER_TARGET_TB(_tbname)) +#define ALTER_USER_ADD_ALTER_TB_PRIV(_type, _priv, _tbname) \ + (ALTER_USER_ADD_PRIVS(_type) && ALTER_USER_ALTER_PRIV(_priv) && ALTER_USER_TARGET_TB(_tbname)) +#define ALTER_USER_DEL_ALTER_TB_PRIV(_type, _priv, _tbname) \ + (ALTER_USER_DEL_PRIVS(_type) && ALTER_USER_ALTER_PRIV(_priv) && ALTER_USER_TARGET_TB(_tbname)) +#define ALTER_USER_ADD_ALL_TB_PRIV(_type, _priv, _tbname) \ + (ALTER_USER_ADD_PRIVS(_type) && ALTER_USER_ALL_PRIV(_priv) && ALTER_USER_TARGET_TB(_tbname)) +#define ALTER_USER_DEL_ALL_TB_PRIV(_type, _priv, _tbname) \ + (ALTER_USER_DEL_PRIVS(_type) && ALTER_USER_ALL_PRIV(_priv) && ALTER_USER_TARGET_TB(_tbname)) +#define ALTER_USER_ADD_SUBSCRIBE_TOPIC_PRIV(_type, _priv) \ + (ALTER_USER_ADD_PRIVS(_type) && ALTER_USER_SUBSCRIBE_PRIV(_priv)) +#define ALTER_USER_DEL_SUBSCRIBE_TOPIC_PRIV(_type, _priv) \ + (ALTER_USER_DEL_PRIVS(_type) && ALTER_USER_SUBSCRIBE_PRIV(_priv)) static SIpWhiteList *createDefaultIpWhiteList(); SIpWhiteList *createIpWhiteList(void *buf, int32_t len); @@ -1575,8 +1595,8 @@ static int32_t mndProcessCreateUserReq(SRpcMsg *pReq) { if (code == 0) code = TSDB_CODE_ACTION_IN_PROGRESS; char detail[1000] = {0}; - sprintf(detail, "enable:%d, superUser:%d, sysInfo:%d, password:xxx", - createReq.enable, createReq.superUser, createReq.sysInfo); + sprintf(detail, "enable:%d, superUser:%d, sysInfo:%d, password:xxx", createReq.enable, createReq.superUser, + createReq.sysInfo); auditRecord(pReq, pMnode->clusterId, "createUser", "", createReq.user, detail, strlen(detail)); @@ -1766,7 +1786,7 @@ static int32_t mndRemoveTablePriviledge(SMnode *pMnode, SHashObj *hash, SHashObj if (NULL == currRef) { return 0; } - + if (1 == *currRef) { if (taosHashRemove(useDbHash, alterReq->objname, dbKeyLen) != 0) { return -1; @@ -1800,12 +1820,12 @@ static char *mndUserAuditTypeStr(int32_t type) { return "error"; } -static int32_t mndProcessAlterUserPrivilegesReq(SAlterUserReq *pAlterReq, SMnode *pMnode, SUserObj* pNewUser) { - SSdb *pSdb = pMnode->pSdb; - void *pIter = NULL; +static int32_t mndProcessAlterUserPrivilegesReq(SAlterUserReq *pAlterReq, SMnode *pMnode, SUserObj *pNewUser) { + SSdb *pSdb = pMnode->pSdb; + void *pIter = NULL; - if (ALTER_USER_ADD_READ_DB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName) || - ALTER_USER_ADD_ALL_DB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName)) { + if (ALTER_USER_ADD_READ_DB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName) || + ALTER_USER_ADD_ALL_DB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName)) { if (strcmp(pAlterReq->objname, "1.*") != 0) { int32_t len = strlen(pAlterReq->objname) + 1; SDbObj *pDb = mndAcquireDb(pMnode, pAlterReq->objname); @@ -1830,7 +1850,8 @@ static int32_t mndProcessAlterUserPrivilegesReq(SAlterUserReq *pAlterReq, SMnode } } - if (ALTER_USER_ADD_WRITE_DB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName) || ALTER_USER_ADD_ALL_DB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName)) { + if (ALTER_USER_ADD_WRITE_DB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName) || + ALTER_USER_ADD_ALL_DB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName)) { if (strcmp(pAlterReq->objname, "1.*") != 0) { int32_t len = strlen(pAlterReq->objname) + 1; SDbObj *pDb = mndAcquireDb(pMnode, pAlterReq->objname); @@ -1855,7 +1876,8 @@ static int32_t mndProcessAlterUserPrivilegesReq(SAlterUserReq *pAlterReq, SMnode } } - if (ALTER_USER_DEL_READ_DB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName) || ALTER_USER_DEL_ALL_DB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName)) { + if (ALTER_USER_DEL_READ_DB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName) || + ALTER_USER_DEL_ALL_DB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName)) { if (strcmp(pAlterReq->objname, "1.*") != 0) { int32_t len = strlen(pAlterReq->objname) + 1; SDbObj *pDb = mndAcquireDb(pMnode, pAlterReq->objname); @@ -1870,7 +1892,8 @@ static int32_t mndProcessAlterUserPrivilegesReq(SAlterUserReq *pAlterReq, SMnode } } - if (ALTER_USER_DEL_WRITE_DB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName) || ALTER_USER_DEL_ALL_DB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName)) { + if (ALTER_USER_DEL_WRITE_DB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName) || + ALTER_USER_DEL_ALL_DB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName)) { if (strcmp(pAlterReq->objname, "1.*") != 0) { int32_t len = strlen(pAlterReq->objname) + 1; SDbObj *pDb = mndAcquireDb(pMnode, pAlterReq->objname); @@ -1885,9 +1908,9 @@ static int32_t mndProcessAlterUserPrivilegesReq(SAlterUserReq *pAlterReq, SMnode } } - SHashObj* pReadTbs = pNewUser->readTbs; - SHashObj* pWriteTbs = pNewUser->writeTbs; - SHashObj* pAlterTbs = pNewUser->alterTbs; + SHashObj *pReadTbs = pNewUser->readTbs; + SHashObj *pWriteTbs = pNewUser->writeTbs; + SHashObj *pAlterTbs = pNewUser->alterTbs; #ifdef TD_ENTERPRISE if (pAlterReq->isView) { @@ -1897,15 +1920,18 @@ static int32_t mndProcessAlterUserPrivilegesReq(SAlterUserReq *pAlterReq, SMnode } #endif - if (ALTER_USER_ADD_READ_TB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName) || ALTER_USER_ADD_ALL_TB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName)) { + if (ALTER_USER_ADD_READ_TB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName) || + ALTER_USER_ADD_ALL_TB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName)) { if (mndTablePriviledge(pMnode, pReadTbs, pNewUser->useDbs, pAlterReq, pSdb) != 0) return -1; } - if (ALTER_USER_ADD_WRITE_TB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName) || ALTER_USER_ADD_ALL_TB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName)) { + if (ALTER_USER_ADD_WRITE_TB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName) || + ALTER_USER_ADD_ALL_TB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName)) { if (mndTablePriviledge(pMnode, pWriteTbs, pNewUser->useDbs, pAlterReq, pSdb) != 0) return -1; } - if (ALTER_USER_ADD_ALTER_TB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName) || ALTER_USER_ADD_ALL_TB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName)) { + if (ALTER_USER_ADD_ALTER_TB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName) || + ALTER_USER_ADD_ALL_TB_PRIV(pAlterReq->alterType, pAlterReq->privileges, pAlterReq->tabName)) { if (mndTablePriviledge(pMnode, pAlterTbs, pNewUser->useDbs, pAlterReq, pSdb) != 0) return -1; } @@ -2016,7 +2042,7 @@ static int32_t mndProcessAlterUserReq(SRpcMsg *pReq) { newUser.sysInfo = alterReq.sysInfo; } - if(alterReq.alterType == TSDB_ALTER_USER_CREATEDB) { + if (alterReq.alterType == TSDB_ALTER_USER_CREATEDB) { newUser.createdb = alterReq.createdb; } @@ -2119,52 +2145,43 @@ static int32_t mndProcessAlterUserReq(SRpcMsg *pReq) { code = mndAlterUser(pMnode, pUser, &newUser, pReq); if (code == 0) code = TSDB_CODE_ACTION_IN_PROGRESS; - if(alterReq.alterType == TSDB_ALTER_USER_PASSWD){ + if (alterReq.alterType == TSDB_ALTER_USER_PASSWD) { char detail[1000] = {0}; sprintf(detail, "alterType:%s, enable:%d, superUser:%d, sysInfo:%d, createdb:%d, tabName:%s, password:xxx", mndUserAuditTypeStr(alterReq.alterType), alterReq.enable, alterReq.superUser, alterReq.sysInfo, alterReq.createdb ? 1 : 0, alterReq.tabName); auditRecord(pReq, pMnode->clusterId, "alterUser", "", alterReq.user, detail, strlen(detail)); - } - else if(alterReq.alterType == TSDB_ALTER_USER_SUPERUSER || - alterReq.alterType == TSDB_ALTER_USER_ENABLE || - alterReq.alterType == TSDB_ALTER_USER_SYSINFO || - alterReq.alterType == TSDB_ALTER_USER_CREATEDB){ + } else if (alterReq.alterType == TSDB_ALTER_USER_SUPERUSER || alterReq.alterType == TSDB_ALTER_USER_ENABLE || + alterReq.alterType == TSDB_ALTER_USER_SYSINFO || alterReq.alterType == TSDB_ALTER_USER_CREATEDB) { auditRecord(pReq, pMnode->clusterId, "alterUser", "", alterReq.user, alterReq.sql, alterReq.sqlLen); - } - else if(ALTER_USER_ADD_READ_DB_PRIV(alterReq.alterType, alterReq.privileges, alterReq.tabName)|| - ALTER_USER_ADD_WRITE_DB_PRIV(alterReq.alterType, alterReq.privileges, alterReq.tabName)|| - ALTER_USER_ADD_ALL_DB_PRIV(alterReq.alterType, alterReq.privileges, alterReq.tabName)|| - ALTER_USER_ADD_READ_TB_PRIV(alterReq.alterType, alterReq.privileges, alterReq.tabName)|| - ALTER_USER_ADD_WRITE_TB_PRIV(alterReq.alterType, alterReq.privileges, alterReq.tabName)|| - ALTER_USER_ADD_ALL_TB_PRIV(alterReq.alterType, alterReq.privileges, alterReq.tabName)){ - if (strcmp(alterReq.objname, "1.*") != 0){ + } else if (ALTER_USER_ADD_READ_DB_PRIV(alterReq.alterType, alterReq.privileges, alterReq.tabName) || + ALTER_USER_ADD_WRITE_DB_PRIV(alterReq.alterType, alterReq.privileges, alterReq.tabName) || + ALTER_USER_ADD_ALL_DB_PRIV(alterReq.alterType, alterReq.privileges, alterReq.tabName) || + ALTER_USER_ADD_READ_TB_PRIV(alterReq.alterType, alterReq.privileges, alterReq.tabName) || + ALTER_USER_ADD_WRITE_TB_PRIV(alterReq.alterType, alterReq.privileges, alterReq.tabName) || + ALTER_USER_ADD_ALL_TB_PRIV(alterReq.alterType, alterReq.privileges, alterReq.tabName)) { + if (strcmp(alterReq.objname, "1.*") != 0) { SName name = {0}; tNameFromString(&name, alterReq.objname, T_NAME_ACCT | T_NAME_DB); - auditRecord(pReq, pMnode->clusterId, "GrantPrivileges", name.dbname, alterReq.user, - alterReq.sql, alterReq.sqlLen); - }else{ - auditRecord(pReq, pMnode->clusterId, "GrantPrivileges", "", alterReq.user, - alterReq.sql, alterReq.sqlLen); + auditRecord(pReq, pMnode->clusterId, "GrantPrivileges", name.dbname, alterReq.user, alterReq.sql, + alterReq.sqlLen); + } else { + auditRecord(pReq, pMnode->clusterId, "GrantPrivileges", "", alterReq.user, alterReq.sql, alterReq.sqlLen); } - } - else if(ALTER_USER_ADD_SUBSCRIBE_TOPIC_PRIV(alterReq.alterType, alterReq.privileges)){ - auditRecord(pReq, pMnode->clusterId, "GrantPrivileges", alterReq.objname, alterReq.user, - alterReq.sql, alterReq.sqlLen); - } - else if(ALTER_USER_DEL_SUBSCRIBE_TOPIC_PRIV(alterReq.alterType, alterReq.privileges)){ - auditRecord(pReq, pMnode->clusterId, "RevokePrivileges", alterReq.objname, alterReq.user, - alterReq.sql, alterReq.sqlLen); - } - else{ - if (strcmp(alterReq.objname, "1.*") != 0){ + } else if (ALTER_USER_ADD_SUBSCRIBE_TOPIC_PRIV(alterReq.alterType, alterReq.privileges)) { + auditRecord(pReq, pMnode->clusterId, "GrantPrivileges", alterReq.objname, alterReq.user, alterReq.sql, + alterReq.sqlLen); + } else if (ALTER_USER_DEL_SUBSCRIBE_TOPIC_PRIV(alterReq.alterType, alterReq.privileges)) { + auditRecord(pReq, pMnode->clusterId, "RevokePrivileges", alterReq.objname, alterReq.user, alterReq.sql, + alterReq.sqlLen); + } else { + if (strcmp(alterReq.objname, "1.*") != 0) { SName name = {0}; tNameFromString(&name, alterReq.objname, T_NAME_ACCT | T_NAME_DB); - auditRecord(pReq, pMnode->clusterId, "RevokePrivileges", name.dbname, alterReq.user, - alterReq.sql, alterReq.sqlLen); - }else{ - auditRecord(pReq, pMnode->clusterId, "RevokePrivileges", "", alterReq.user, - alterReq.sql, alterReq.sqlLen); + auditRecord(pReq, pMnode->clusterId, "RevokePrivileges", name.dbname, alterReq.user, alterReq.sql, + alterReq.sqlLen); + } else { + auditRecord(pReq, pMnode->clusterId, "RevokePrivileges", "", alterReq.user, alterReq.sql, alterReq.sqlLen); } } @@ -2480,11 +2497,14 @@ static int32_t mndRetrievePrivileges(SRpcMsg *pReq, SShowObj *pShow, SSDataBlock int32_t numOfReadViews = taosHashGetSize(pUser->readViews); int32_t numOfWriteViews = taosHashGetSize(pUser->writeViews); int32_t numOfAlterViews = taosHashGetSize(pUser->alterViews); - if (numOfRows + numOfReadDbs + numOfWriteDbs + numOfTopics + numOfReadTbs + numOfWriteTbs + numOfAlterTbs + numOfReadViews + numOfWriteViews + numOfAlterViews >= rows) { + if (numOfRows + numOfReadDbs + numOfWriteDbs + numOfTopics + numOfReadTbs + numOfWriteTbs + numOfAlterTbs + + numOfReadViews + numOfWriteViews + numOfAlterViews >= + rows) { mInfo( "will restore. current num of rows: %d, read dbs %d, write dbs %d, topics %d, read tables %d, write tables " "%d, alter tables %d, read views %d, write views %d, alter views %d", - numOfRows, numOfReadDbs, numOfWriteDbs, numOfTopics, numOfReadTbs, numOfWriteTbs, numOfAlterTbs, numOfReadViews, numOfWriteViews, numOfAlterViews); + numOfRows, numOfReadDbs, numOfWriteDbs, numOfTopics, numOfReadTbs, numOfWriteTbs, numOfAlterTbs, + numOfReadViews, numOfWriteViews, numOfAlterViews); pShow->restore = true; sdbRelease(pSdb, pUser); break; @@ -2870,7 +2890,6 @@ int32_t mndUserRemoveView(SMnode *pMnode, STrans *pTrans, char *view) { return code; } - int32_t mndUserRemoveTopic(SMnode *pMnode, STrans *pTrans, char *topic) { int32_t code = 0; SSdb *pSdb = pMnode->pSdb; @@ -2910,3 +2929,9 @@ int32_t mndUserRemoveTopic(SMnode *pMnode, STrans *pTrans, char *topic) { mndUserFreeObj(&newUser); return code; } + +int64_t mndGetUserIpWhiteListVer(SMnode *pMnode, SUserObj *pUser) { + // ver = 0, disable ip white list + // ver > 0, enable ip white list + return tsEnableWhiteList ? pUser->ipWhiteListVer : 0; +}