Permission for Relation model

apache · Jan 24, 2025 · 1b0af7d · 1b0af7d
1 parent 52da698
commit 1b0af7d
Show file tree

Hide file tree

Showing 161 changed files with 7,728 additions and 4,601 deletions.
diff --git a/...st/src/test/java/org/apache/iotdb/confignode/it/database/IoTDBDatabaseSetAndDeleteIT.java b/...st/src/test/java/org/apache/iotdb/confignode/it/database/IoTDBDatabaseSetAndDeleteIT.java
@@ -56,8 +56,8 @@ public class IoTDBDatabaseSetAndDeleteIT {
 
   @Before
   public void setUp() throws Exception {
-    // Init 1C0D environment
-    EnvFactory.getEnv().initClusterEnvironment(1, 0);
+    // Init 1C1D environment
+    EnvFactory.getEnv().initClusterEnvironment(1, 1);
   }
 
   @After

diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBAuthIT.java
@@ -114,10 +114,11 @@ public void allPrivilegesTest() throws SQLException {
         // tempuser revoke his write_schema privilege
         userStmt.execute("REVOKE WRITE_SCHEMA ON root.** FROM USER tempuser");
 
-        // 6. REVOKE ALL will get an error.
         Assert.assertThrows(
-            SQLException.class,
-            () -> adminStmt.execute("REVOKE ALL on root.** FROM USER tempuser"));
+            SQLException.class, () -> userStmt.execute("GRANT READ_DATA root.t1 to USER tempuser"));
+
+        // 6. REVOKE ALL will be ok.
+        adminStmt.execute("REVOKE ALL on root.** FROM USER tempuser");
         adminStmt.execute("GRANT ALL ON root.** TO USER tempuser");
         adminStmt.execute("REVOKE ALL ON root.** FROM USER tempuser");
 
@@ -254,9 +255,7 @@ public void illegalGrantRevokeUserTest() throws SQLException {
             () -> userStmt.execute("GRANT WRITE_SCHEMA on root.a.b TO USER tempuser"));
         // revoke a non-existing privilege
         adminStmt.execute("REVOKE MANAGE_USER on root.** FROM USER tempuser");
-        Assert.assertThrows(
-            SQLException.class,
-            () -> adminStmt.execute("REVOKE MANAGE_USER on root.** FROM USER tempuser"));
+
         // revoke a non-existing user
         Assert.assertThrows(
             SQLException.class,
@@ -312,9 +311,7 @@ public void createDeleteTimeSeriesTest() throws SQLException {
             () ->
                 userStmt.execute("CREATE TIMESERIES root.b.a WITH DATATYPE=INT32,ENCODING=PLAIN"));
 
-        Assert.assertThrows(
-            SQLException.class,
-            () -> adminStmt.execute("REVOKE WRITE_SCHEMA ON root.a.b FROM USER tempuser"));
+        adminStmt.execute("REVOKE WRITE_SCHEMA ON root.a.b FROM USER tempuser");
         // no privilege to create this one anymore
         Assert.assertThrows(
             SQLException.class,
@@ -450,7 +447,7 @@ public void testListUser() throws SQLException {
 
     try {
       ResultSet resultSet = adminStmt.executeQuery("LIST USER");
-      String ans = String.format("root,\n");
+      String ans = "root,\n";
       try {
         validateResultSet(resultSet, ans);
 
@@ -551,7 +548,7 @@ public void testListUserRole() throws SQLException {
       // user1 : role1; MANAGE_ROLE,MANAGE_USER
       // user2 : role1, role2;
       ResultSet resultSet;
-      String ans = "";
+      String ans;
       Connection userCon = EnvFactory.getEnv().getConnection("user1", "password");
       Statement userStmt = userCon.createStatement();
       try {
@@ -618,16 +615,16 @@ public void testListUserPrivileges() throws SQLException {
         validateResultSet(resultSet, ans);
         resultSet = adminStmt.executeQuery("LIST PRIVILEGES OF USER root");
         ans =
-            ",root.**,MANAGE_USER,true,\n"
-                + ",root.**,MANAGE_ROLE,true,\n"
-                + ",root.**,USE_TRIGGER,true,\n"
-                + ",root.**,USE_UDF,true,\n"
-                + ",root.**,USE_CQ,true,\n"
-                + ",root.**,USE_PIPE,true,\n"
-                + ",root.**,USE_MODEL,true,\n"
-                + ",root.**,EXTEND_TEMPLATE,true,\n"
-                + ",root.**,MANAGE_DATABASE,true,\n"
-                + ",root.**,MAINTAIN,true,\n"
+            ",,MANAGE_USER,true,\n"
+                + ",,MANAGE_ROLE,true,\n"
+                + ",,USE_TRIGGER,true,\n"
+                + ",,USE_UDF,true,\n"
+                + ",,USE_CQ,true,\n"
+                + ",,USE_PIPE,true,\n"
+                + ",,USE_MODEL,true,\n"
+                + ",,EXTEND_TEMPLATE,true,\n"
+                + ",,MANAGE_DATABASE,true,\n"
+                + ",,MAINTAIN,true,\n"
                 + ",root.**,READ_DATA,true,\n"
                 + ",root.**,WRITE_DATA,true,\n"
                 + ",root.**,READ_SCHEMA,true,\n"
@@ -964,22 +961,25 @@ public void testGrantAndGrantOpt() throws SQLException {
 
     // 2. USER1 has all privileges on root.**
     for (PrivilegeType item : PrivilegeType.values()) {
+      if (item.isRelationalPrivilege()) {
+        continue;
+      }
       String sql = "GRANT %s on root.** to USER user1";
-      adminStmt.execute(String.format(sql, item.toString()));
+      adminStmt.execute(String.format(sql, item));
     }
     // 3.admin lists privileges of user1
     ResultSet resultSet = adminStmt.executeQuery("LIST PRIVILEGES OF USER user1");
     String ans =
-        ",root.**,MANAGE_USER,false,\n"
-            + ",root.**,MANAGE_ROLE,false,\n"
-            + ",root.**,USE_TRIGGER,false,\n"
-            + ",root.**,USE_UDF,false,\n"
-            + ",root.**,USE_CQ,false,\n"
-            + ",root.**,USE_PIPE,false,\n"
-            + ",root.**,USE_MODEL,false,\n"
-            + ",root.**,EXTEND_TEMPLATE,false,\n"
-            + ",root.**,MANAGE_DATABASE,false,\n"
-            + ",root.**,MAINTAIN,false,\n"
+        ",,MANAGE_USER,false,\n"
+            + ",,MANAGE_ROLE,false,\n"
+            + ",,USE_TRIGGER,false,\n"
+            + ",,USE_UDF,false,\n"
+            + ",,USE_CQ,false,\n"
+            + ",,USE_PIPE,false,\n"
+            + ",,USE_MODEL,false,\n"
+            + ",,EXTEND_TEMPLATE,false,\n"
+            + ",,MANAGE_DATABASE,false,\n"
+            + ",,MAINTAIN,false,\n"
             + ",root.**,READ_DATA,false,\n"
             + ",root.**,WRITE_DATA,false,\n"
             + ",root.**,READ_SCHEMA,false,\n"
@@ -988,21 +988,24 @@ public void testGrantAndGrantOpt() throws SQLException {
 
     // 4. USER2 has all privilegs on root.** with grant option;
     for (PrivilegeType item : PrivilegeType.values()) {
+      if (item.isRelationalPrivilege()) {
+        continue;
+      }
       String sql = "GRANT %s on root.** to USER user2 with grant option";
-      adminStmt.execute(String.format(sql, item.toString()));
+      adminStmt.execute(String.format(sql, item));
     }
     resultSet = adminStmt.executeQuery("LIST PRIVILEGES OF USER user2");
     ans =
-        ",root.**,MANAGE_USER,true,\n"
-            + ",root.**,MANAGE_ROLE,true,\n"
-            + ",root.**,USE_TRIGGER,true,\n"
-            + ",root.**,USE_UDF,true,\n"
-            + ",root.**,USE_CQ,true,\n"
-            + ",root.**,USE_PIPE,true,\n"
-            + ",root.**,USE_MODEL,true,\n"
-            + ",root.**,EXTEND_TEMPLATE,true,\n"
-            + ",root.**,MANAGE_DATABASE,true,\n"
-            + ",root.**,MAINTAIN,true,\n"
+        ",,MANAGE_USER,true,\n"
+            + ",,MANAGE_ROLE,true,\n"
+            + ",,USE_TRIGGER,true,\n"
+            + ",,USE_UDF,true,\n"
+            + ",,USE_CQ,true,\n"
+            + ",,USE_PIPE,true,\n"
+            + ",,USE_MODEL,true,\n"
+            + ",,EXTEND_TEMPLATE,true,\n"
+            + ",,MANAGE_DATABASE,true,\n"
+            + ",,MAINTAIN,true,\n"
             + ",root.**,READ_DATA,true,\n"
             + ",root.**,WRITE_DATA,true,\n"
             + ",root.**,READ_SCHEMA,true,\n"
@@ -1019,16 +1022,16 @@ public void testGrantAndGrantOpt() throws SQLException {
       try {
         resultSet = userStmt.executeQuery("LIST PRIVILEGES OF USER user1");
         ans =
-            ",root.**,MANAGE_USER,false,\n"
-                + ",root.**,MANAGE_ROLE,false,\n"
-                + ",root.**,USE_TRIGGER,false,\n"
-                + ",root.**,USE_UDF,false,\n"
-                + ",root.**,USE_CQ,false,\n"
-                + ",root.**,USE_PIPE,false,\n"
-                + ",root.**,USE_MODEL,false,\n"
-                + ",root.**,EXTEND_TEMPLATE,false,\n"
-                + ",root.**,MANAGE_DATABASE,false,\n"
-                + ",root.**,MAINTAIN,false,\n"
+            ",,MANAGE_USER,false,\n"
+                + ",,MANAGE_ROLE,false,\n"
+                + ",,USE_TRIGGER,false,\n"
+                + ",,USE_UDF,false,\n"
+                + ",,USE_CQ,false,\n"
+                + ",,USE_PIPE,false,\n"
+                + ",,USE_MODEL,false,\n"
+                + ",,EXTEND_TEMPLATE,false,\n"
+                + ",,MANAGE_DATABASE,false,\n"
+                + ",,MAINTAIN,false,\n"
                 + ",root.**,READ_DATA,false,\n"
                 + ",root.**,WRITE_DATA,false,\n"
                 + ",root.**,READ_SCHEMA,false,\n"
@@ -1052,21 +1055,21 @@ public void testGrantAndGrantOpt() throws SQLException {
         validateResultSet(resultSet, ans);
         userStmt.execute("GRANT MANAGE_ROLE ON root.** TO USER user3");
         resultSet = userStmt.executeQuery("LIST PRIVILEGES OF USER user3");
-        ans = ",root.**,MANAGE_ROLE,false,\n";
+        ans = ",,MANAGE_ROLE,false,\n";
         validateResultSet(resultSet, ans);
 
         userStmt.execute("REVOKE MANAGE_ROLE ON root.** FROM USER user1");
         resultSet = userStmt.executeQuery("LIST PRIVILEGES OF USER user1");
         ans =
-            ",root.**,MANAGE_USER,false,\n"
-                + ",root.**,USE_TRIGGER,false,\n"
-                + ",root.**,USE_UDF,false,\n"
-                + ",root.**,USE_CQ,false,\n"
-                + ",root.**,USE_PIPE,false,\n"
-                + ",root.**,USE_MODEL,false,\n"
-                + ",root.**,EXTEND_TEMPLATE,false,\n"
-                + ",root.**,MANAGE_DATABASE,false,\n"
-                + ",root.**,MAINTAIN,false,\n"
+            ",,MANAGE_USER,false,\n"
+                + ",,USE_TRIGGER,false,\n"
+                + ",,USE_UDF,false,\n"
+                + ",,USE_CQ,false,\n"
+                + ",,USE_PIPE,false,\n"
+                + ",,USE_MODEL,false,\n"
+                + ",,EXTEND_TEMPLATE,false,\n"
+                + ",,MANAGE_DATABASE,false,\n"
+                + ",,MAINTAIN,false,\n"
                 + ",root.**,READ_DATA,false,\n"
                 + ",root.**,WRITE_DATA,false,\n"
                 + ",root.**,READ_SCHEMA,false,\n"
@@ -1115,9 +1118,12 @@ public void testRevokeAndGrantOpt() throws SQLException {
     //    user2 has all privileges without grant option on root.**
     //    user2 has all privileges without grant option on root.t1.**
     for (PrivilegeType item : PrivilegeType.values()) {
+      if (item.isRelationalPrivilege()) {
+        continue;
+      }
       String sql = "GRANT %s on root.** to USER user1 WITH GRANT OPTION";
       adminStmt.execute(String.format(sql, item));
-      if (item.isPathRelevant()) {
+      if (item.isPathPrivilege()) {
         adminStmt.execute(String.format("GRANT %s on root.t1.** TO USER user2", item));
       }
       sql = "GRANT %s on root.** to USER user2";
@@ -1130,6 +1136,9 @@ public void testRevokeAndGrantOpt() throws SQLException {
     try {
       // revoke privileges on root.** and root.t1.**
       for (PrivilegeType item : PrivilegeType.values()) {
+        if (item.isRelationalPrivilege()) {
+          continue;
+        }
         user1Stmt.execute(String.format("REVOKE %s ON root.** FROM USER user2", item));
       }
 

diff --git a/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBClusterAuthorityIT.java b/integration-test/src/test/java/org/apache/iotdb/db/it/auth/IoTDBClusterAuthorityIT.java
@@ -20,6 +20,7 @@
 package org.apache.iotdb.db.it.auth;
 
 import org.apache.iotdb.common.rpc.thrift.TSStatus;
+import org.apache.iotdb.commons.auth.entity.PrivilegeModelType;
 import org.apache.iotdb.commons.auth.entity.PrivilegeType;
 import org.apache.iotdb.commons.client.sync.SyncConfigNodeIServiceClient;
 import org.apache.iotdb.commons.exception.IllegalPathException;
@@ -60,8 +61,8 @@ public class IoTDBClusterAuthorityIT {
 
   @Before
   public void setUp() throws Exception {
-    // Init 1C0D environment
-    EnvFactory.getEnv().initClusterEnvironment(1, 0);
+    // Init 1C1D environment
+    EnvFactory.getEnv().initClusterEnvironment(1, 1);
   }
 
   @After
@@ -159,9 +160,11 @@ public void permissionTest() throws IllegalPathException {
       // check user privileges
       checkUserPrivilegesReq =
           new TCheckUserPrivilegesReq(
-              "tempuser0",
-              AuthUtils.serializePartialPathList(paths),
-              PrivilegeType.MANAGE_USER.ordinal());
+                  "tempuser0",
+                  PrivilegeModelType.TREE.ordinal(),
+                  PrivilegeType.MANAGE_USER.ordinal(),
+                  false)
+              .setPaths(AuthUtils.serializePartialPathList(paths));
       status = client.checkUserPrivileges(checkUserPrivilegesReq).getStatus();
       assertEquals(TSStatusCode.NO_PERMISSION.getStatusCode(), status.getCode());
 
@@ -282,9 +285,11 @@ public void permissionTest() throws IllegalPathException {
       // check user privileges
       checkUserPrivilegesReq =
           new TCheckUserPrivilegesReq(
-              "tempuser0",
-              AuthUtils.serializePartialPathList(paths),
-              PrivilegeType.READ_DATA.ordinal());
+                  "tempuser0",
+                  PrivilegeModelType.TREE.ordinal(),
+                  PrivilegeType.READ_DATA.ordinal(),
+                  false)
+              .setPaths(AuthUtils.serializePartialPathList(nodeNameList));
       status = client.checkUserPrivileges(checkUserPrivilegesReq).getStatus();
       assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode());
 
@@ -367,10 +372,13 @@ public void permissionTest() throws IllegalPathException {
       status = authorizerResp.getStatus();
       assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode());
       assertEquals(ColumnHeaderConstant.PRIVILEGES, authorizerResp.getTag());
-      assertEquals("tempuser0", authorizerResp.getPermissionInfo().getUserInfo().getUsername());
       assertEquals(
-          new ArrayList<>(), authorizerResp.getPermissionInfo().getUserInfo().getPrivilegeList());
-      assertEquals(1, authorizerResp.getPermissionInfo().getUserInfo().getRoleListSize());
+          "tempuser0",
+          authorizerResp.getPermissionInfo().getUserInfo().getPermissionInfo().getName());
+      assertEquals(
+          new ArrayList<>(),
+          authorizerResp.getPermissionInfo().getUserInfo().getPermissionInfo().getPrivilegeList());
+      assertEquals(1, authorizerResp.getPermissionInfo().getUserInfo().getRoleSet().size());
 
       // list privileges role
       authorizerReq =
@@ -443,17 +451,32 @@ public void permissionTest() throws IllegalPathException {
       assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode());
       assertNull(authorizerResp.getMemberInfo());
       assertEquals(new HashMap<>(), authorizerResp.getPermissionInfo().getRoleInfo());
+      assertEquals(new HashSet<>(), authorizerResp.getPermissionInfo().getUserInfo().getRoleSet());
       assertEquals(
-          new ArrayList<>(), authorizerResp.getPermissionInfo().getUserInfo().getRoleList());
-      assertEquals(
-          PrivilegeType.getPathPriCount(),
-          authorizerResp.getPermissionInfo().getUserInfo().getPrivilegeList().get(0).priSet.size());
+          PrivilegeType.getPrivilegeCount(PrivilegeModelType.TREE),
+          authorizerResp
+              .getPermissionInfo()
+              .getUserInfo()
+              .getPermissionInfo()
+              .getPrivilegeList()
+              .get(0)
+              .priSet
+              .size());
       assertEquals(
-          PrivilegeType.getSysPriCount(),
-          authorizerResp.getPermissionInfo().getUserInfo().getSysPriSet().size());
+          PrivilegeType.getPrivilegeCount(PrivilegeModelType.SYSTEM),
+          authorizerResp
+              .getPermissionInfo()
+              .getUserInfo()
+              .getPermissionInfo()
+              .getSysPriSet()
+              .size());
       assertEquals(
-          PrivilegeType.getSysPriCount(),
-          authorizerResp.getPermissionInfo().getUserInfo().getSysPriSetGrantOptSize());
+          PrivilegeType.getPrivilegeCount(PrivilegeModelType.SYSTEM),
+          authorizerResp
+              .getPermissionInfo()
+              .getUserInfo()
+              .getPermissionInfo()
+              .getSysPriSetGrantOptSize());
 
       authorizerReq =
           new TAuthorizerReq(
@@ -473,8 +496,9 @@ public void permissionTest() throws IllegalPathException {
       checkUserPrivilegesReq =
           new TCheckUserPrivilegesReq(
               "tempuser0",
-              AuthUtils.serializePartialPathList(new ArrayList<>()),
-              PrivilegeType.MANAGE_USER.ordinal());
+              PrivilegeModelType.SYSTEM.ordinal(),
+              PrivilegeType.MANAGE_USER.ordinal(),
+              false);
       status = client.checkUserPrivileges(checkUserPrivilegesReq).getStatus();
       assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode());
 
@@ -496,8 +520,9 @@ public void permissionTest() throws IllegalPathException {
       checkUserPrivilegesReq =
           new TCheckUserPrivilegesReq(
               "tempuser0",
-              AuthUtils.serializePartialPathList(new ArrayList<>()),
-              PrivilegeType.MANAGE_DATABASE.ordinal());
+              PrivilegeModelType.SYSTEM.ordinal(),
+              PrivilegeType.MANAGE_DATABASE.ordinal(),
+              false);
       status = client.checkUserPrivileges(checkUserPrivilegesReq).getStatus();
       assertEquals(TSStatusCode.SUCCESS_STATUS.getStatusCode(), status.getCode());