in iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/pipe/receiver/protocol/IoTDBConfigNodeReceiver.java [282:567]
private TSStatus checkPermission(final ConfigPhysicalPlan plan) {
switch (plan.getType()) {
case CreateDatabase:
return PathUtils.isTableModelDatabase(((DatabaseSchemaPlan) plan).getSchema().getName())
? configManager
.checkUserPrivileges(
username,
new PrivilegeUnion(
((DatabaseSchemaPlan) plan).getSchema().getName(), PrivilegeType.CREATE))
.getStatus()
: configManager
.checkUserPrivileges(username, new PrivilegeUnion(PrivilegeType.MANAGE_DATABASE))
.getStatus();
case AlterDatabase:
return PathUtils.isTableModelDatabase(((DatabaseSchemaPlan) plan).getSchema().getName())
? configManager
.checkUserPrivileges(
username,
new PrivilegeUnion(
((DatabaseSchemaPlan) plan).getSchema().getName(), PrivilegeType.ALTER))
.getStatus()
: configManager
.checkUserPrivileges(username, new PrivilegeUnion(PrivilegeType.MANAGE_DATABASE))
.getStatus();
case DeleteDatabase:
return PathUtils.isTableModelDatabase(((DeleteDatabasePlan) plan).getName())
? configManager
.checkUserPrivileges(
username,
new PrivilegeUnion(((DeleteDatabasePlan) plan).getName(), PrivilegeType.DROP))
.getStatus()
: configManager
.checkUserPrivileges(username, new PrivilegeUnion(PrivilegeType.MANAGE_DATABASE))
.getStatus();
case ExtendSchemaTemplate:
return configManager
.checkUserPrivileges(username, new PrivilegeUnion(PrivilegeType.EXTEND_TEMPLATE))
.getStatus();
case CreateSchemaTemplate:
case CommitSetSchemaTemplate:
case PipeUnsetTemplate:
return CommonDescriptor.getInstance().getConfig().getAdminName().equals(username)
? StatusUtils.OK
: new TSStatus(TSStatusCode.NO_PERMISSION.getStatusCode())
.setMessage("Only the admin user can perform this operation");
case PipeDeleteTimeSeries:
return configManager
.checkUserPrivileges(
username,
new PrivilegeUnion(
new ArrayList<>(
PathPatternTree.deserialize(
((PipeDeleteTimeSeriesPlan) plan).getPatternTreeBytes())
.getAllPathPatterns()),
PrivilegeType.WRITE_SCHEMA))
.getStatus();
case PipeDeleteLogicalView:
return configManager
.checkUserPrivileges(
username,
new PrivilegeUnion(
new ArrayList<>(
PathPatternTree.deserialize(
((PipeDeleteLogicalViewPlan) plan).getPatternTreeBytes())
.getAllPathPatterns()),
PrivilegeType.WRITE_SCHEMA))
.getStatus();
case PipeDeactivateTemplate:
return configManager
.checkUserPrivileges(
username,
new PrivilegeUnion(
new ArrayList<>(
((PipeDeactivateTemplatePlan) plan).getTemplateSetInfo().keySet()),
PrivilegeType.WRITE_SCHEMA))
.getStatus();
case SetTTL:
return Objects.equals(
configManager
.getTTLManager()
.getAllTTL()
.get(
String.join(
String.valueOf(IoTDBConstant.PATH_SEPARATOR),
((SetTTLPlan) plan).getPathPattern())),
((SetTTLPlan) plan).getTTL())
? StatusUtils.OK
: configManager
.checkUserPrivileges(
username,
((SetTTLPlan) plan).isDataBase()
? new PrivilegeUnion(PrivilegeType.MANAGE_DATABASE)
: new PrivilegeUnion(
Collections.singletonList(
new PartialPath(((SetTTLPlan) plan).getPathPattern())),
PrivilegeType.WRITE_SCHEMA))
.getStatus();
case UpdateTriggerStateInTable:
case DeleteTriggerInTable:
return configManager
.checkUserPrivileges(username, new PrivilegeUnion(PrivilegeType.USE_TRIGGER))
.getStatus();
case PipeCreateTableOrView:
return configManager
.checkUserPrivileges(
username,
new PrivilegeUnion(
((PipeCreateTableOrViewPlan) plan).getDatabase(),
((PipeCreateTableOrViewPlan) plan).getTable().getTableName(),
PrivilegeType.CREATE))
.getStatus();
case AddTableColumn:
case AddViewColumn:
case SetTableProperties:
case SetViewProperties:
case CommitDeleteColumn:
case CommitDeleteViewColumn:
case SetTableComment:
case SetViewComment:
case SetTableColumnComment:
case RenameTableColumn:
case RenameViewColumn:
case RenameTable:
case RenameView:
return configManager
.checkUserPrivileges(
username,
new PrivilegeUnion(
((AbstractTablePlan) plan).getDatabase(),
((AbstractTablePlan) plan).getTableName(),
PrivilegeType.ALTER))
.getStatus();
case CommitDeleteTable:
case CommitDeleteView:
return configManager
.checkUserPrivileges(
username,
new PrivilegeUnion(
((CommitDeleteTablePlan) plan).getDatabase(),
((CommitDeleteTablePlan) plan).getTableName(),
PrivilegeType.DROP))
.getStatus();
case GrantRole:
case GrantUser:
case RevokeUser:
case RevokeRole:
for (final int permission : ((AuthorTreePlan) plan).getPermissions()) {
final TSStatus status =
configManager
.checkUserPrivilegeGrantOpt(
username,
PrivilegeType.values()[permission].isPathPrivilege()
? new PrivilegeUnion(
((AuthorTreePlan) plan).getNodeNameList(),
PrivilegeType.values()[permission],
true)
: new PrivilegeUnion(PrivilegeType.values()[permission], true))
.getStatus();
if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
return status;
}
}
return StatusUtils.OK;
case RGrantUserAny:
case RGrantRoleAny:
case RRevokeUserAny:
case RRevokeRoleAny:
for (final int permission : ((AuthorRelationalPlan) plan).getPermissions()) {
final TSStatus status =
configManager
.checkUserPrivileges(
username, new PrivilegeUnion(PrivilegeType.values()[permission], true, true))
.getStatus();
if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
return status;
}
}
return StatusUtils.OK;
case RGrantUserAll:
case RGrantRoleAll:
case RRevokeUserAll:
case RRevokeRoleAll:
for (PrivilegeType privilegeType : PrivilegeType.values()) {
final TSStatus status;
if (privilegeType.isRelationalPrivilege()) {
status =
configManager
.checkUserPrivileges(username, new PrivilegeUnion(privilegeType, true, true))
.getStatus();
} else if (privilegeType.forRelationalSys()) {
status =
configManager
.checkUserPrivileges(username, new PrivilegeUnion(privilegeType, true))
.getStatus();
} else {
continue;
}
if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
return status;
}
}
return StatusUtils.OK;
case RGrantUserDBPriv:
case RGrantRoleDBPriv:
case RRevokeUserDBPriv:
case RRevokeRoleDBPriv:
for (final int permission : ((AuthorRelationalPlan) plan).getPermissions()) {
final TSStatus status =
configManager
.checkUserPrivileges(
username,
new PrivilegeUnion(
((AuthorRelationalPlan) plan).getDatabaseName(),
PrivilegeType.values()[permission],
true))
.getStatus();
if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
return status;
}
}
return StatusUtils.OK;
case RGrantUserTBPriv:
case RGrantRoleTBPriv:
case RRevokeUserTBPriv:
case RRevokeRoleTBPriv:
for (final int permission : ((AuthorRelationalPlan) plan).getPermissions()) {
final TSStatus status =
configManager
.checkUserPrivileges(
username,
new PrivilegeUnion(
((AuthorRelationalPlan) plan).getDatabaseName(),
((AuthorRelationalPlan) plan).getTableName(),
PrivilegeType.values()[permission],
true))
.getStatus();
if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
return status;
}
}
return StatusUtils.OK;
case RGrantUserSysPri:
case RGrantRoleSysPri:
case RRevokeUserSysPri:
case RRevokeRoleSysPri:
for (final int permission : ((AuthorRelationalPlan) plan).getPermissions()) {
final TSStatus status =
configManager
.checkUserPrivileges(
username, new PrivilegeUnion(PrivilegeType.values()[permission], true))
.getStatus();
if (status.getCode() != TSStatusCode.SUCCESS_STATUS.getStatusCode()) {
return status;
}
}
return StatusUtils.OK;
case UpdateUser:
case RUpdateUser:
return ((AuthorPlan) plan).getUserName().equals(username)
? StatusUtils.OK
: configManager
.checkUserPrivileges(username, new PrivilegeUnion(PrivilegeType.MANAGE_USER))
.getStatus();
case CreateUser:
case RCreateUser:
case CreateUserWithRawPassword:
case DropUser:
case RDropUser:
return configManager
.checkUserPrivileges(username, new PrivilegeUnion(PrivilegeType.MANAGE_USER))
.getStatus();
case CreateRole:
case RCreateRole:
case DropRole:
case RDropRole:
case GrantRoleToUser:
case RGrantUserRole:
case RevokeRoleFromUser:
case RRevokeUserRole:
return configManager
.checkUserPrivileges(username, new PrivilegeUnion(PrivilegeType.MANAGE_ROLE))
.getStatus();
default:
return StatusUtils.OK;
}
}