Skip to content

The grant option check for path privileges was not correctly logged in the audit log #16969

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
shuwenwei wants to merge 3 commits into
base: master
Choose a base branch
from
Open

The grant option check for path privileges was not correctly logged in the audit log #16969

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8890c20
The grant option check for path privileges was not correctly logged i…
shuwenwei Dec 30, 2025
70624d9
fix
shuwenwei Dec 30, 2025
2ffd0cc
fix spell
shuwenwei Dec 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 59 additions & 25 deletions ...java/org/apache/iotdb/db/queryengine/plan/relational/security/TreeAccessCheckVisitor.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,7 @@
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.StringJoiner;
import java.util.function.Supplier;
import java.util.stream.Collectors;

Expand Down Expand Up @@ -668,31 +669,12 @@ public TSStatus visitAuthor(AuthorStatement statement, TreeAccessCheckContext co
auditObject)) {
return RpcUtils.SUCCESS_STATUS;
}
for (String s : statement.getPrivilegeList()) {
PrivilegeType privilegeType = PrivilegeType.valueOf(s.toUpperCase());
if (privilegeType.isSystemPrivilege()) {
if (!checkHasGlobalAuth(context, privilegeType, auditObject, true)) {
return AuthorityChecker.getTSStatus(
false,
"Has no permission to execute "
+ authorType
+ ", please ensure you have these privileges and the grant option is TRUE when granted)");
}
} else if (privilegeType.isPathPrivilege()) {
if (!AuthorityChecker.checkPathPermissionGrantOption(
context.getUsername(), privilegeType, statement.getNodeNameList())) {
return AuthorityChecker.getTSStatus(
false,
"Has no permission to execute "
+ authorType
+ ", please ensure you have these privileges and the grant option is TRUE when granted)");
}
} else {
return AuthorityChecker.getTSStatus(
false, "Not support Relation statement in tree sql_dialect");
}
}
return RpcUtils.SUCCESS_STATUS;
return checkPermissionsWithGrantOption(
context,
Arrays.stream(statement.getPrivilegeList())
.map(s -> PrivilegeType.valueOf(s.toUpperCase()))
.collect(Collectors.toList()),
statement.getNodeNameList());
default:
throw new IllegalArgumentException("Unknown authorType: " + authorType);
}
Expand Down Expand Up @@ -1997,6 +1979,58 @@ protected boolean checkHasGlobalAuth(
return result;
}

protected TSStatus checkPermissionsWithGrantOption(
IAuditEntity auditEntity, List<PrivilegeType> privilegeList, List<PartialPath> paths) {
Supplier<String> supplier =
() -> {
StringJoiner joiner = new StringJoiner(" ");
if (paths != null) {
paths.forEach(path -> joiner.add(path.getFullPath()));
}
return joiner.toString();
};
auditEntity.setPrivilegeTypes(privilegeList);
if (AuthorityChecker.SUPER_USER.equals(auditEntity.getUsername())) {
recordObjectAuthenticationAuditLog(auditEntity.setResult(true), supplier);
return SUCCEED;
}
TSStatus status = SUCCEED;
for (PrivilegeType privilegeType : privilegeList) {
if (privilegeType.isSystemPrivilege()) {
if (!AuthorityChecker.checkSystemPermissionGrantOption(
auditEntity.getUsername(), privilegeType)) {
status =
AuthorityChecker.getTSStatus(
false,
"Has no permission to execute "
+ privilegeType
+ ", please ensure you have these privileges and the grant option is TRUE when granted");
break;
}
} else if (privilegeType.isPathPrivilege()) {
if (!AuthorityChecker.checkPathPermissionGrantOption(
auditEntity.getUsername(), privilegeType, paths)) {
status =
AuthorityChecker.getTSStatus(
false,
"Has no permission to execute "
+ privilegeType
+ ", please ensure you have these privileges and the grant option is TRUE when granted");
break;
}
} else {
status =
AuthorityChecker.getTSStatus(
false, "Not support Relation statement in tree sql_dialect");
break;
}
}
recordObjectAuthenticationAuditLog(
auditEntity.setResult(status.getCode() == TSStatusCode.SUCCESS_STATUS.getStatusCode()),
supplier);
return status;
}

protected TSStatus checkWriteOnReadOnlyPath(IAuditEntity auditEntity, PartialPath path) {
if (includeByAuditTreeDB(path)
&& !AuthorityChecker.INTERNAL_AUDIT_USER.equals(path.getFullPath())) {
Expand Down
Loading