Merge pull request #21550 from wangjiaming0909/feature/3.0/TD-23974

feature: add user priv when create db, remove priv check with create_dbs
2023-06-06 11:06:18 +08:00 · 2023-06-06 11:06:18 +08:00 · dff35ac584
parent 11321aa279 60100a0fb6
commit dff35ac584
6 changed files with 125 additions and 4 deletions
--- a/source/dnode/mnode/impl/inc/mndUser.h
+++ b/source/dnode/mnode/impl/inc/mndUser.h
@ -40,6 +40,8 @@ int32_t   mndValidateUserPassInfo(SMnode *pMnode, SUserPassVersion *pUsers, int3
 int32_t   mndUserRemoveDb(SMnode *pMnode, STrans *pTrans, char *db);
 int32_t   mndUserRemoveTopic(SMnode *pMnode, STrans *pTrans, char *topic);

+int32_t   mndUserDupObj(SUserObj *pUser, SUserObj *pNew);
+void      mndUserFreeObj(SUserObj *pUser);
 #ifdef __cplusplus
 }
 #endif
--- a/source/dnode/mnode/impl/src/mndDb.c
+++ b/source/dnode/mnode/impl/src/mndDb.c
@ -446,7 +446,8 @@ static int32_t mndSetCreateDbUndoLogs(SMnode *pMnode, STrans *pTrans, SDbObj *pD
  return 0;
 }

-static int32_t mndSetCreateDbCommitLogs(SMnode *pMnode, STrans *pTrans, SDbObj *pDb, SVgObj *pVgroups) {
+static int32_t mndSetCreateDbCommitLogs(SMnode *pMnode, STrans *pTrans, SDbObj *pDb, SVgObj *pVgroups,
+                                        SUserObj *pUserDuped) {
  SSdbRaw *pDbRaw = mndDbActionEncode(pDb);
  if (pDbRaw == NULL) return -1;
  if (mndTransAppendCommitlog(pTrans, pDbRaw) != 0) return -1;
@ -459,6 +460,13 @@ static int32_t mndSetCreateDbCommitLogs(SMnode *pMnode, STrans *pTrans, SDbObj *
    if (sdbSetRawStatus(pVgRaw, SDB_STATUS_READY) != 0) return -1;
  }

+  if (pUserDuped) {
+    SSdbRaw *pUserRaw = mndUserActionEncode(pUserDuped);
+    if (pUserRaw == NULL) return -1;
+    if (mndTransAppendCommitlog(pTrans, pUserRaw) != 0) return -1;
+    if (sdbSetRawStatus(pUserRaw, SDB_STATUS_READY) != 0) return -1;
+  }
+
  return 0;
 }

@ -565,6 +573,15 @@ static int32_t mndCreateDb(SMnode *pMnode, SRpcMsg *pReq, SCreateDbReq *pCreate,
    return -1;
  }

+  // add database privileges for user
+  SUserObj newUserObj = {0}, *pNewUserDuped = NULL;
+  if (!pUser->superUser) {
+    if (mndUserDupObj(pUser, &newUserObj) != 0) goto _OVER;
+    taosHashPut(newUserObj.readDbs, dbObj.name, strlen(dbObj.name) + 1, dbObj.name, TSDB_FILENAME_LEN);
+    taosHashPut(newUserObj.writeDbs, dbObj.name, strlen(dbObj.name) + 1, dbObj.name, TSDB_FILENAME_LEN);
+    pNewUserDuped = &newUserObj;
+  }
+
  int32_t code = -1;
  STrans *pTrans = mndTransCreate(pMnode, TRN_POLICY_RETRY, TRN_CONFLICT_DB, pReq, "create-db");
  if (pTrans == NULL) goto _OVER;
@ -577,7 +594,7 @@ static int32_t mndCreateDb(SMnode *pMnode, SRpcMsg *pReq, SCreateDbReq *pCreate,
  mndTransSetOper(pTrans, MND_OPER_CREATE_DB);
  if (mndSetCreateDbRedoLogs(pMnode, pTrans, &dbObj, pVgroups) != 0) goto _OVER;
  if (mndSetCreateDbUndoLogs(pMnode, pTrans, &dbObj, pVgroups) != 0) goto _OVER;
-  if (mndSetCreateDbCommitLogs(pMnode, pTrans, &dbObj, pVgroups) != 0) goto _OVER;
+  if (mndSetCreateDbCommitLogs(pMnode, pTrans, &dbObj, pVgroups, pNewUserDuped) != 0) goto _OVER;
  if (mndSetCreateDbRedoActions(pMnode, pTrans, &dbObj, pVgroups) != 0) goto _OVER;
  if (mndSetCreateDbUndoActions(pMnode, pTrans, &dbObj, pVgroups) != 0) goto _OVER;
  if (mndTransPrepare(pMnode, pTrans) != 0) goto _OVER;
@ -586,6 +603,7 @@ static int32_t mndCreateDb(SMnode *pMnode, SRpcMsg *pReq, SCreateDbReq *pCreate,

 _OVER:
  taosMemoryFree(pVgroups);
+  mndUserFreeObj(&newUserObj);
  mndTransDrop(pTrans);
  return code;
 }
--- a/source/dnode/mnode/impl/src/mndUser.c
+++ b/source/dnode/mnode/impl/src/mndUser.c
@ -488,7 +488,7 @@ SHashObj *mndDupUseDbHash(SHashObj *pOld) {
  return pNew;
 }

-static int32_t mndUserDupObj(SUserObj *pUser, SUserObj *pNew) {
+int32_t mndUserDupObj(SUserObj *pUser, SUserObj *pNew) {
  memcpy(pNew, pUser, sizeof(SUserObj));
  pNew->authVersion++;
  pNew->updateTime = taosGetTimestampMs();
@ -508,7 +508,7 @@ static int32_t mndUserDupObj(SUserObj *pUser, SUserObj *pNew) {
  return 0;
 }

-static void mndUserFreeObj(SUserObj *pUser) {
+void mndUserFreeObj(SUserObj *pUser) {
  taosHashCleanup(pUser->readDbs);
  taosHashCleanup(pUser->writeDbs);
  taosHashCleanup(pUser->topics);
--- a/source/libs/catalog/src/ctgUtil.c
+++ b/source/libs/catalog/src/ctgUtil.c
@ -1555,10 +1555,13 @@ int32_t ctgChkSetAuthRes(SCatalog* pCtg, SCtgAuthReq* req, SCtgAuthRsp* res) {
  char dbFName[TSDB_DB_FNAME_LEN];
  tNameGetFullDbName(&pReq->tbName, dbFName);

+  // since that we add read/write previliges when create db, there is no need to check createdDbs
+#if 0
  if (pInfo->createdDbs && taosHashGet(pInfo->createdDbs, dbFName, strlen(dbFName))) {
    pRes->pass = true;
    return TSDB_CODE_SUCCESS;
  }
+#endif

  switch (pReq->type) {
    case AUTH_TYPE_READ: {
--- a/tests/script/tsim/user/privilege_create_db.sim
+++ b/tests/script/tsim/user/privilege_create_db.sim
@ -0,0 +1,97 @@
+system sh/stop_dnodes.sh
+system sh/deploy.sh -n dnode1 -i 1
+system sh/exec.sh -n dnode1 -s start
+sql connect
+
+print ========================root user create user
+sql create user u1 pass "taosdata"
+sql create user u2 pass "taosdata"
+sql create database test
+sql select * from information_schema.ins_user_privileges where user_name == "root"
+if $rows != 1 then
+  return -1
+endi
+
+print =============connect with u1
+sql connect u1
+sql create database u1_d1
+sql use u1_d1
+sql create table u1_d1.t1(ts timestamp, c2 int)
+sql use information_schema
+sql select * from ins_user_privileges where user_name == "u1" order by privilege
+if $rows != 2 then
+  return -1
+endi
+if $data01 != read then
+  return -1
+endi
+if $data11 != write then
+  return -1
+endi
+if $data02 != u1_d1 then
+  return -1
+endi
+if $data12 != u1_d1 then
+  return -1
+endi
+
+sql_error grant all on *.* to u1
+sql_error grant all on test.* to u1
+
+print =============connect with u2
+sql connect u2
+sql create database u2_d1
+sql use u2_d1
+sql create table u2_d1.t1(ts timestamp, c2 int)
+sql use information_schema
+sql select * from ins_user_privileges where user_name == "u2" order by privilege
+if $rows != 2 then
+  return -1
+endi
+if $data01 != read then
+  return -1
+endi
+if $data11 != write then
+  return -1
+endi
+if $data02 != u2_d1 then
+  return -1
+endi
+if $data12 != u2_d1 then
+  return -1
+endi
+
+sql_error select * from u1_d1.t1
+sql_error revoke read on u2_d1.* from u2
+
+print =============connect with root, revoke read from u1, all from u2
+sql connect
+sql revoke read on u1_d1.* from u1
+sql revoke all on u2_d1.* from u2
+sleep 1000
+
+print =============connect with u1
+sql connect u1
+sql insert into u1_d1.t1 values(now, 1)
+sql_error select * from u1_d1.t1;
+
+print =============connect with u2
+sql connect u2
+sql_error select * from u2_d1.t1;
+sql_error insert into u2_d1.t1 values(now, 1)
+
+print =============connect with root, grant read to u1, all to u2
+sql connect
+sql grant read on u1_d1.* to u1
+sql grant all on u2_d1.* to u2
+
+sleep 1000
+print =============connect with u1
+sql connect u1
+sql select * from u1_d1.t1;
+sql insert into u1_d1.t1 values(now, 2)
+
+print =============connect with u2
+sql connect u2
+sql select * from u2_d1.t1;
+sql insert into u2_d1.t1 values(now, 2)
--- a/tests/script/win-test-file
+++ b/tests/script/win-test-file
@ -4,6 +4,7 @@
 ./test.sh -f tsim/user/privilege_sysinfo.sim
 ./test.sh -f tsim/user/privilege_topic.sim
 ./test.sh -f tsim/user/privilege_table.sim
+./test.sh -f tsim/user/privilege_create_db.sim
 ./test.sh -f tsim/db/alter_option.sim
 rem ./test.sh -f tsim/db/alter_replica_13.sim
 ./test.sh -f tsim/db/alter_replica_31.sim