From 9a927afbd976ef63660147fc386f27ed4158dcc3 Mon Sep 17 00:00:00 2001 From: Shengliang Guan Date: Tue, 15 Feb 2022 17:24:34 +0800 Subject: [PATCH] auth for stb --- source/dnode/mnode/impl/inc/mndAuth.h | 3 + source/dnode/mnode/impl/src/mndAuth.c | 26 ++++++++ source/dnode/mnode/impl/src/mndStb.c | 93 ++++++++++++++++++++------- 3 files changed, 98 insertions(+), 24 deletions(-) diff --git a/source/dnode/mnode/impl/inc/mndAuth.h b/source/dnode/mnode/impl/inc/mndAuth.h index c2c69f000b..7dcb518f9b 100644 --- a/source/dnode/mnode/impl/inc/mndAuth.h +++ b/source/dnode/mnode/impl/inc/mndAuth.h @@ -36,6 +36,9 @@ int32_t mndCheckCreateDbAuth(SUserObj *pOperUser); int32_t mndCheckAlterDropCompactSyncDbAuth(SUserObj *pOperUser, SDbObj *pDb); int32_t mndCheckUseDbAuth(SUserObj *pOperUser, SDbObj *pDb); +int32_t mndCheckWriteAuth(SUserObj *pOperUser, SDbObj *pDb); +int32_t mndCheckReadAuth(SUserObj *pOperUser, SDbObj *pDb); + #ifdef __cplusplus } #endif diff --git a/source/dnode/mnode/impl/src/mndAuth.c b/source/dnode/mnode/impl/src/mndAuth.c index 84c8b7476c..afebb066b3 100644 --- a/source/dnode/mnode/impl/src/mndAuth.c +++ b/source/dnode/mnode/impl/src/mndAuth.c @@ -141,3 +141,29 @@ int32_t mndCheckAlterDropCompactSyncDbAuth(SUserObj *pOperUser, SDbObj *pDb) { } int32_t mndCheckUseDbAuth(SUserObj *pOperUser, SDbObj *pDb) { return 0; } + +int32_t mndCheckWriteAuth(SUserObj *pOperUser, SDbObj *pDb) { + if (pOperUser->superUser || strcmp(pOperUser->user, pDb->createUser) == 0) { + return 0; + } + + if (taosHashGet(pOperUser->writeDbs, pDb->name, strlen(pDb->name) + 1) != NULL) { + return 0; + } + + terrno = TSDB_CODE_MND_NO_RIGHTS; + return -1; +} + +int32_t mndCheckReadAuth(SUserObj *pOperUser, SDbObj *pDb) { + if (pOperUser->superUser || strcmp(pOperUser->user, pDb->createUser) == 0) { + return 0; + } + + if (taosHashGet(pOperUser->readDbs, pDb->name, strlen(pDb->name) + 1) != NULL) { + return 0; + } + + terrno = TSDB_CODE_MND_NO_RIGHTS; + return -1; +} \ No newline at end of file diff --git a/source/dnode/mnode/impl/src/mndStb.c b/source/dnode/mnode/impl/src/mndStb.c index 436b0b9961..69a8479d47 100644 --- a/source/dnode/mnode/impl/src/mndStb.c +++ b/source/dnode/mnode/impl/src/mndStb.c @@ -15,6 +15,7 @@ #define _DEFAULT_SOURCE #include "mndStb.h" +#include "mndAuth.h" #include "mndDb.h" #include "mndDnode.h" #include "mndMnode.h" @@ -343,7 +344,7 @@ static int32_t mndCheckCreateStbReq(SMCreateStbReq *pCreate) { return -1; } - SField *pField = taosArrayGet(pCreate->pColumns, 0) ; + SField *pField = taosArrayGet(pCreate->pColumns, 0); if (pField->type != TSDB_DATA_TYPE_TIMESTAMP) { terrno = TSDB_CODE_MND_INVALID_STB_OPTION; return -1; @@ -549,12 +550,16 @@ static int32_t mndProcessMCreateStbReq(SMnodeMsg *pReq) { SStbObj *pTopicStb = NULL; SStbObj *pStb = NULL; SDbObj *pDb = NULL; + SUserObj *pUser = NULL; SMCreateStbReq createReq = {0}; if (tDeserializeSMCreateStbReq(pReq->rpcMsg.pCont, &createReq) == NULL) goto CREATE_STB_OVER; mDebug("stb:%s, start to create", createReq.name); - if (mndCheckCreateStbReq(&createReq) != 0) goto CREATE_STB_OVER; + if (mndCheckCreateStbReq(&createReq) != 0) { + terrno = TSDB_CODE_INVALID_MSG; + goto CREATE_STB_OVER; + } pStb = mndAcquireStb(pMnode, createReq.name); if (pStb != NULL) { @@ -582,6 +587,15 @@ static int32_t mndProcessMCreateStbReq(SMnodeMsg *pReq) { goto CREATE_STB_OVER; } + pUser = mndAcquireUser(pMnode, pReq->user); + if (pUser == NULL) { + goto CREATE_STB_OVER; + } + + if (mndCheckWriteAuth(pUser, pDb) != 0) { + goto CREATE_STB_OVER; + } + code = mndCreateStb(pMnode, pReq, &createReq, pDb); if (code == 0) code = TSDB_CODE_MND_ACTION_IN_PROGRESS; @@ -593,8 +607,8 @@ CREATE_STB_OVER: mndReleaseStb(pMnode, pStb); mndReleaseStb(pMnode, pTopicStb); mndReleaseDb(pMnode, pDb); - taosArrayDestroy(createReq.pColumns); - taosArrayDestroy(createReq.pTags); + mndReleaseUser(pMnode, pUser); + tFreeSMCreateStbReq(&createReq); return code; } @@ -965,7 +979,7 @@ static int32_t mndAlterStb(SMnode *pMnode, SMnodeMsg *pReq, const SMAltertbReq * int32_t code = -1; STrans *pTrans = NULL; SField *pField0 = taosArrayGet(pAlter->pFields, 0); - + switch (pAlter->alterType) { case TSDB_ALTER_TABLE_ADD_TAG: code = mndAddSuperTableTag(pOld, &stbObj, pAlter->pFields, pAlter->numOfFields); @@ -1020,9 +1034,13 @@ static int32_t mndProcessMAlterStbReq(SMnodeMsg *pReq) { int32_t code = -1; SDbObj *pDb = NULL; SStbObj *pStb = NULL; + SUserObj *pUser = NULL; SMAltertbReq alterReq = {0}; - if (tDeserializeSMAlterStbReq(pReq->rpcMsg.pCont, &alterReq) == NULL) goto ALTER_STB_OVER; + if (tDeserializeSMAlterStbReq(pReq->rpcMsg.pCont, &alterReq) == NULL) { + terrno = TSDB_CODE_INVALID_MSG; + goto ALTER_STB_OVER; + } mDebug("stb:%s, start to alter", alterReq.name); if (mndCheckAlterStbReq(&alterReq) != 0) goto ALTER_STB_OVER; @@ -1039,6 +1057,15 @@ static int32_t mndProcessMAlterStbReq(SMnodeMsg *pReq) { goto ALTER_STB_OVER; } + pUser = mndAcquireUser(pMnode, pReq->user); + if (pUser == NULL) { + goto ALTER_STB_OVER; + } + + if (mndCheckWriteAuth(pUser, pDb) != 0) { + goto ALTER_STB_OVER; + } + code = mndAlterStb(pMnode, pReq, &alterReq, pDb, pStb); if (code == 0) code = TSDB_CODE_MND_ACTION_IN_PROGRESS; @@ -1049,6 +1076,7 @@ ALTER_STB_OVER: mndReleaseStb(pMnode, pStb); mndReleaseDb(pMnode, pDb); + mndReleaseUser(pMnode, pUser); taosArrayDestroy(alterReq.pFields); return code; @@ -1135,43 +1163,60 @@ DROP_STB_OVER: } static int32_t mndProcessMDropStbReq(SMnodeMsg *pReq) { - SMnode *pMnode = pReq->pMnode; - + SMnode *pMnode = pReq->pMnode; + int32_t code = -1; + SUserObj *pUser = NULL; + SDbObj *pDb = NULL; + SStbObj *pStb = NULL; SMDropStbReq dropReq = {0}; - tDeserializeSMDropStbReq(pReq->rpcMsg.pCont, &dropReq); + + if (tDeserializeSMDropStbReq(pReq->rpcMsg.pCont, &dropReq) != 0) { + terrno = TSDB_CODE_INVALID_MSG; + goto DROP_STB_OVER; + } mDebug("stb:%s, start to drop", dropReq.name); - SStbObj *pStb = mndAcquireStb(pMnode, dropReq.name); + pStb = mndAcquireStb(pMnode, dropReq.name); if (pStb == NULL) { if (dropReq.igNotExists) { mDebug("stb:%s, not exist, ignore not exist is set", dropReq.name); - return 0; + code = 0; + goto DROP_STB_OVER; } else { terrno = TSDB_CODE_MND_STB_NOT_EXIST; - mError("stb:%s, failed to drop since %s", dropReq.name, terrstr()); - return -1; + goto DROP_STB_OVER; } } - SDbObj *pDb = mndAcquireDbByStb(pMnode, dropReq.name); + pDb = mndAcquireDbByStb(pMnode, dropReq.name); if (pDb == NULL) { - mndReleaseStb(pMnode, pStb); terrno = TSDB_CODE_MND_DB_NOT_SELECTED; - mError("stb:%s, failed to drop since %s", dropReq.name, terrstr()); - return -1; + goto DROP_STB_OVER; + } + + pUser = mndAcquireUser(pMnode, pReq->user); + if (pUser == NULL) { + goto DROP_STB_OVER; + } + + if (mndCheckWriteAuth(pUser, pDb) != 0) { + goto DROP_STB_OVER; + } + + code = mndDropStb(pMnode, pReq, pDb, pStb); + if (code == 0) code = TSDB_CODE_MND_ACTION_IN_PROGRESS; + +DROP_STB_OVER: + if (code != 0 && code != TSDB_CODE_MND_ACTION_IN_PROGRESS) { + mError("stb:%s, failed to drop since %s", dropReq.name, terrstr()); } - int32_t code = mndDropStb(pMnode, pReq, pDb, pStb); mndReleaseDb(pMnode, pDb); mndReleaseStb(pMnode, pStb); + mndReleaseUser(pMnode, pUser); - if (code != 0) { - mError("stb:%s, failed to drop since %s", dropReq.name, terrstr()); - return -1; - } - - return TSDB_CODE_MND_ACTION_IN_PROGRESS; + return code; } static int32_t mndProcessVDropStbRsp(SMnodeMsg *pRsp) {