public void checkUserCanRunRelationalAuthorStatement()

in iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/plan/relational/security/AccessControlImpl.java [162:355]

• 187 lines of code
• 72 McCabe index (conditional complexity)

  public void checkUserCanRunRelationalAuthorStatement(
      String userName, RelationalAuthorStatement statement) {
    AuthorRType type = statement.getAuthorType();
    switch (type) {
      case CREATE_USER:
        // admin cannot be created.
        if (AuthorityChecker.SUPER_USER.equals(statement.getUserName())) {
          throw new AccessDeniedException("Cannot create user has same name with admin user");
        }
        if (AuthorityChecker.SUPER_USER.equals(userName)) {
          return;
        }
        authChecker.checkGlobalPrivilege(userName, TableModelPrivilege.MANAGE_USER);
        return;
      case DROP_USER:
        if (AuthorityChecker.SUPER_USER.equals(statement.getUserName())
            || statement.getUserName().equals(userName)) {
          throw new AccessDeniedException("Cannot drop admin user or yourself");
        }
        if (AuthorityChecker.SUPER_USER.equals(userName)) {
          return;
        }
        authChecker.checkGlobalPrivilege(userName, TableModelPrivilege.MANAGE_USER);
        return;
      case UPDATE_USER:
      case LIST_USER_PRIV:
        if (AuthorityChecker.SUPER_USER.equals(userName)
            || statement.getUserName().equals(userName)) {
          return;
        }
        authChecker.checkGlobalPrivilege(userName, TableModelPrivilege.MANAGE_USER);
        return;
      case LIST_USER:
        if (AuthorityChecker.SUPER_USER.equals(userName)) {
          return;
        }
        authChecker.checkGlobalPrivilege(userName, TableModelPrivilege.MANAGE_USER);
        return;
      case CREATE_ROLE:
        if (AuthorityChecker.SUPER_USER.equals(statement.getRoleName())) {
          throw new AccessDeniedException("Cannot create role has same name with admin user");
        }
        if (AuthorityChecker.SUPER_USER.equals(userName)) {
          return;
        }
        authChecker.checkGlobalPrivilege(userName, TableModelPrivilege.MANAGE_ROLE);
        return;

      case DROP_ROLE:
        if (AuthorityChecker.SUPER_USER.equals(statement.getUserName())) {
          throw new AccessDeniedException("Cannot drop role with admin name");
        }
        if (AuthorityChecker.SUPER_USER.equals(userName)) {
          return;
        }
        authChecker.checkGlobalPrivilege(userName, TableModelPrivilege.MANAGE_ROLE);
        return;

      case GRANT_USER_ROLE:
        if (AuthorityChecker.SUPER_USER.equals(statement.getUserName())) {
          throw new AccessDeniedException("Cannot grant role to admin");
        }
        if (AuthorityChecker.SUPER_USER.equals(userName)) {
          return;
        }
        authChecker.checkGlobalPrivilege(userName, TableModelPrivilege.MANAGE_ROLE);
        return;

      case REVOKE_USER_ROLE:
        if (AuthorityChecker.SUPER_USER.equals(statement.getUserName())) {
          throw new AccessDeniedException("Cannot revoke role from admin");
        }
        if (AuthorityChecker.SUPER_USER.equals(userName)) {
          return;
        }
        authChecker.checkGlobalPrivilege(userName, TableModelPrivilege.MANAGE_ROLE);
        return;
      case LIST_ROLE:
        if (AuthorityChecker.SUPER_USER.equals(userName)) {
          return;
        }

        // user can list his roles.
        if (statement.getUserName() != null && statement.getUserName().equals(userName)) {
          return;
        }
        authChecker.checkGlobalPrivilege(userName, TableModelPrivilege.MANAGE_ROLE);
        return;
      case LIST_ROLE_PRIV:
        if (AuthorityChecker.SUPER_USER.equals(userName)) {
          return;
        }
        if (AuthorityChecker.checkRole(userName, statement.getRoleName())) {
          return;
        }
        authChecker.checkGlobalPrivilege(userName, TableModelPrivilege.MANAGE_ROLE);
        return;
      case GRANT_ROLE_ANY:
      case GRANT_USER_ANY:
      case REVOKE_ROLE_ANY:
      case REVOKE_USER_ANY:
        if (AuthorityChecker.SUPER_USER.equals(statement.getUserName())) {
          throw new AccessDeniedException("Cannot grant/revoke privileges of admin user");
        }
        if (AuthorityChecker.SUPER_USER.equals(userName)) {
          return;
        }
        for (PrivilegeType privilegeType : statement.getPrivilegeTypes()) {
          authChecker.checkAnyScopePrivilegeGrantOption(
              userName, TableModelPrivilege.getTableModelType(privilegeType));
        }
        return;
      case GRANT_ROLE_ALL:
      case REVOKE_ROLE_ALL:
      case GRANT_USER_ALL:
      case REVOKE_USER_ALL:
        if (AuthorityChecker.SUPER_USER.equals(statement.getUserName())) {
          throw new AccessDeniedException("Cannot grant/revoke all privileges of admin user");
        }
        if (AuthorityChecker.SUPER_USER.equals(userName)) {
          return;
        }
        for (TableModelPrivilege privilege : TableModelPrivilege.values()) {
          PrivilegeType privilegeType = privilege.getPrivilegeType();
          if (privilegeType.isRelationalPrivilege()) {
            authChecker.checkAnyScopePrivilegeGrantOption(userName, privilege);
          }
          if (privilegeType.forRelationalSys()) {
            authChecker.checkGlobalPrivilegeGrantOption(userName, privilege);
          }
        }
        return;
      case GRANT_USER_DB:
      case GRANT_ROLE_DB:
      case REVOKE_USER_DB:
      case REVOKE_ROLE_DB:
        if (AuthorityChecker.SUPER_USER.equals(statement.getUserName())) {
          throw new AccessDeniedException("Cannot grant/revoke privileges of admin user");
        }
        if (InformationSchema.INFORMATION_DATABASE.equals(statement.getDatabase())) {
          throw new SemanticException(
              "Cannot grant or revoke any privileges to information_schema");
        }
        if (AuthorityChecker.SUPER_USER.equals(userName)) {
          return;
        }
        for (PrivilegeType privilegeType : statement.getPrivilegeTypes()) {
          authChecker.checkDatabasePrivilegeGrantOption(
              userName,
              statement.getDatabase(),
              TableModelPrivilege.getTableModelType(privilegeType));
        }
        return;
      case GRANT_USER_TB:
      case GRANT_ROLE_TB:
      case REVOKE_USER_TB:
      case REVOKE_ROLE_TB:
        if (AuthorityChecker.SUPER_USER.equals(statement.getUserName())) {
          throw new AccessDeniedException("Cannot grant/revoke privileges of admin user");
        }
        if (InformationSchema.INFORMATION_DATABASE.equals(statement.getDatabase())) {
          throw new SemanticException(
              "Cannot grant or revoke any privileges to information_schema");
        }
        if (AuthorityChecker.SUPER_USER.equals(userName)) {
          return;
        }
        for (PrivilegeType privilegeType : statement.getPrivilegeTypes()) {
          authChecker.checkTablePrivilegeGrantOption(
              userName,
              new QualifiedObjectName(statement.getDatabase(), statement.getTableName()),
              TableModelPrivilege.getTableModelType(privilegeType));
        }
        return;

      case GRANT_USER_SYS:
      case GRANT_ROLE_SYS:
      case REVOKE_USER_SYS:
      case REVOKE_ROLE_SYS:
        if (AuthorityChecker.SUPER_USER.equals(statement.getUserName())) {
          throw new AccessDeniedException("Cannot grant/revoke privileges of admin user");
        }
        if (AuthorityChecker.SUPER_USER.equals(userName)) {
          return;
        }
        for (PrivilegeType privilegeType : statement.getPrivilegeTypes()) {
          authChecker.checkGlobalPrivilegeGrantOption(
              userName, TableModelPrivilege.getTableModelType(privilegeType));
        }
        break;
      default:
        break;
    }
  }