Skip to content

Commit

Permalink
Fix security view miss SECURITY msg in show create view
Browse files Browse the repository at this point in the history
  • Loading branch information
@HangyuanLiu
HangyuanLiu committed Feb 27, 2025
1 parent f38b850 commit caa2be2
Show file tree
Hide file tree
Showing 7 changed files with 55 additions and 11 deletions.
18 changes: 14 additions & 4 deletions fe/fe-core/src/main/java/com/starrocks/authorization/ColumnPrivilege.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
import com.starrocks.qe.ConnectContext;
import com.starrocks.server.GlobalStateMgr;
import com.starrocks.sql.StatementPlanner;
import com.starrocks.sql.analyzer.Analyzer;
import com.starrocks.sql.analyzer.Authorizer;
import com.starrocks.sql.ast.AstTraverser;
import com.starrocks.sql.ast.DeleteStmt;
Expand Down Expand Up @@ -156,10 +157,19 @@ public static void check(ConnectContext context, QueryStatement stmt, List<Table
List<TableName> allTables = view.getTableRefs();
for (TableName t : allTables) {
BasicTable basicTable = GlobalStateMgr.getCurrentState().getMetadataMgr().getBasicTable(
InternalCatalog.DEFAULT_INTERNAL_CATALOG_NAME, t.getDb(), t.getTbl());

Authorizer.checkAnyActionOnTableLikeObject(context.getCurrentUserIdentity(),
null, t.getDb(), basicTable);
t.getCatalog(), t.getDb(), t.getTbl());
if (basicTable.isOlapView()) {
View subView = (View) basicTable;
QueryStatement queryStatement = subView.getQueryStatement();
Analyzer.analyze(queryStatement, context);
Authorizer.check(queryStatement, context);
} else if (basicTable.isMaterializedView()) {
Authorizer.checkMaterializedViewAction(context.getCurrentUserIdentity(),
context.getCurrentRoleIds(), t, PrivilegeType.SELECT);
} else {
Authorizer.checkTableAction(context.getCurrentUserIdentity(),
context.getCurrentRoleIds(), t, PrivilegeType.SELECT);
}
}
}

Expand Down
5 changes: 5 additions & 0 deletions fe/fe-core/src/main/java/com/starrocks/server/MetadataMgr.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
import com.starrocks.catalog.Database;
import com.starrocks.catalog.ExternalCatalogTableBasicInfo;
import com.starrocks.catalog.IcebergTable;
import com.starrocks.catalog.InternalCatalog;
import com.starrocks.catalog.MaterializedIndexMeta;
import com.starrocks.catalog.PartitionKey;
import com.starrocks.catalog.Table;
Expand Down Expand Up @@ -611,6 +612,10 @@ public boolean tableExists(String catalogName, String dbName, String tblName) {
* Use this method if you are absolutely sure, otherwise use MetadataMgr#getTable.
*/
public BasicTable getBasicTable(String catalogName, String dbName, String tblName) {
if (catalogName == null) {
return getTable(InternalCatalog.DEFAULT_INTERNAL_CATALOG_NAME, dbName, tblName);
}

if (CatalogMgr.isInternalCatalog(catalogName)) {
return getTable(catalogName, dbName, tblName);
}
Expand Down
6 changes: 6 additions & 0 deletions fe/fe-core/src/main/java/com/starrocks/sql/analyzer/AstToStringBuilder.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1606,6 +1606,12 @@ public static void getDdlStmt(String dbName, Table table, List<String> createTab
sb.append(")");
addTableComment(sb, view);

if (view.isSecurity()) {
sb.append(" SECURITY INVOKER");
} else {
sb.append(" SECURITY NONE");
}

sb.append(" AS ").append(view.getInlineViewDef()).append(";");
createTableStmt.add(sb.toString());
return;
Expand Down
2 changes: 1 addition & 1 deletion fe/fe-core/src/main/java/com/starrocks/sql/analyzer/AuthorizerStmtVisitor.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -325,7 +325,7 @@ public Void visitUpdateStatement(UpdateStmt statement, ConnectContext context) {
return null;
}

void checkSelectTableAction(ConnectContext context, QueryStatement statement, List<TableName> excludeTables) {
public void checkSelectTableAction(ConnectContext context, QueryStatement statement, List<TableName> excludeTables) {
ColumnPrivilege.check(context, statement, excludeTables);
}

Expand Down
18 changes: 12 additions & 6 deletions fe/fe-core/src/test/java/com/starrocks/analysis/ShowCreateViewStmtTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,32 +152,38 @@ public void testCreateView() throws Exception {
testCases.add(new String[]{"test_view_0",
"create view test_view_0 AS SELECT " +
" *, concat('', null) FROM `test`.`tbl1`",
"CREATE VIEW `test_view_0` (`k1`, `k2`, `v1`, `concat('', NULL)`) AS SELECT `test`.`tbl1`.`k1`, `test`.`tbl1`.`k2`, `test`.`tbl1`.`v1`, concat('', NULL) AS `concat('', NULL)`\n" +
"CREATE VIEW `test_view_0` (`k1`, `k2`, `v1`, `concat('', NULL)`) SECURITY NONE AS SELECT `test`.`tbl1`.`k1`, `test`.`tbl1`.`k2`, `test`.`tbl1`.`v1`, concat('', NULL) AS `concat('', NULL)`\n" +
"FROM `test`.`tbl1`;"
});
testCases.add(new String[]{"test_view_1",
"create view test_view_1 AS SELECT " +
"concat(`test`.`tbl1`.`k1`, `test`.`tbl1`.`k2`) FROM `test`.`tbl1`",
"CREATE VIEW `test_view_1` (`concat(test.tbl1.k1, test.tbl1.k2)`) AS SELECT concat(`test`.`tbl1`.`k1`, `test`.`tbl1`.`k2`) AS `concat(test.tbl1.k1, test.tbl1.k2)`\n" +
"CREATE VIEW `test_view_1` (`concat(test.tbl1.k1, test.tbl1.k2)`) SECURITY NONE AS SELECT concat(`test`.`tbl1`.`k1`, `test`.`tbl1`.`k2`) AS `concat(test.tbl1.k1, test.tbl1.k2)`\n" +
"FROM `test`.`tbl1`;"
});
testCases.add(new String[]{"test_view_2",
"create view test_view_2 AS SELECT " +
"`test`.`tbl1`.`k1`, `test`.`tbl1`.`k2` FROM `test`.`tbl1`",
"CREATE VIEW `test_view_2` (`k1`, `k2`) AS SELECT `test`.`tbl1`.`k1`, `test`.`tbl1`.`k2`\n" +
"CREATE VIEW `test_view_2` (`k1`, `k2`) SECURITY NONE AS SELECT `test`.`tbl1`.`k1`, `test`.`tbl1`.`k2`\n" +
"FROM `test`.`tbl1`;"
});
testCases.add(new String[]{"test_view_3",
"create view test_view_3 AS SELECT " +
"*, `test`.`tbl1`.`k2` as k3 FROM `test`.`tbl1`",
"CREATE VIEW `test_view_3` (`k1`, `k2`, `v1`, `k3`) AS " +
"CREATE VIEW `test_view_3` (`k1`, `k2`, `v1`, `k3`) SECURITY NONE AS " +
"SELECT `test`.`tbl1`.`k1`, `test`.`tbl1`.`k2`, `test`.`tbl1`.`v1`, `test`.`tbl1`.`k2` AS `k3`\n" +
"FROM `test`.`tbl1`;"
});
testCases.add(new String[]{"test_view_4",
"create view test_view_4 AS " +
"SELECT `test`.`tbl1`.`k1` as c1, `test`.`tbl1`.`k2` as c2 FROM `test`.`tbl1`",
"CREATE VIEW `test_view_4` (`c1`, `c2`) AS SELECT `test`.`tbl1`.`k1` AS `c1`, `test`.`tbl1`.`k2` AS `c2`\n" +
"CREATE VIEW `test_view_4` (`c1`, `c2`) SECURITY NONE AS SELECT `test`.`tbl1`.`k1` AS `c1`, `test`.`tbl1`.`k2` AS `c2`\n" +
"FROM `test`.`tbl1`;"
});
testCases.add(new String[]{"test_view_5",
"create view test_view_5 SECURITY INVOKER AS " +
"SELECT `test`.`tbl1`.`k1` as c1, `test`.`tbl1`.`k2` as c2 FROM `test`.`tbl1`",
"CREATE VIEW `test_view_5` (`c1`, `c2`) SECURITY INVOKER AS SELECT `test`.`tbl1`.`k1` AS `c1`, `test`.`tbl1`.`k2` AS `c2`\n" +
"FROM `test`.`tbl1`;"
});

Expand Down Expand Up @@ -213,7 +219,7 @@ public void testShowCreateView() throws Exception {
AstToStringBuilder.getDdlStmt(createViewStmt.getDbName(), views.get(0), res,
null, null, false, false, false);
Assert.assertEquals("CREATE VIEW `test_view` (`k1` COMMENT \"dt\", `k2`, `v1`)\n" +
"COMMENT \"view comment\" AS SELECT `test`.`tbl1`.`k1`, `test`.`tbl1`.`k2`, `test`.`tbl1`.`v1`\n" +
"COMMENT \"view comment\" SECURITY NONE AS SELECT `test`.`tbl1`.`k1`, `test`.`tbl1`.`k2`, `test`.`tbl1`.`v1`\n" +
"FROM `test`.`tbl1`;", res.get(0));
}

Expand Down
13 changes: 13 additions & 0 deletions test/sql/test_view/R/test_security_view
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ create view v1 as select * from t1, t2;
create view v2 security invoker as select * from t1, t2;
-- result:
-- !result
create view v3 security invoker as select * from v2;
-- result:
-- !result
create user if not exists u1;
-- result:
-- !result
Expand All @@ -23,6 +26,9 @@ grant select on view v1 to user u1;
grant select on view v2 to user u1;
-- result:
-- !result
grant select on view v3 to user u1;
-- result:
-- !result
create user if not exists u2;
-- result:
-- !result
Expand All @@ -41,6 +47,9 @@ grant select on view v1 to user u2;
grant select on view v2 to user u2;
-- result:
-- !result
grant select on view v3 to user u1;
-- result:
-- !result
execute as u1 with no revert;
-- result:
-- !result
Expand All @@ -51,6 +60,10 @@ select * from v2;
-- result:
E: (5203, 'Access denied; you need (at least one of) the SELECT privilege(s) on VIEW v2 for this operation. Please ask the admin to grant permission(s) or try activating existing roles using <set [default] role>. Current role(s): NONE. Inactivated role(s): NONE.')
-- !result
select * from v3;
-- result:
E: (5203, 'Access denied; you need (at least one of) the SELECT privilege(s) on TABLE t1 for this operation. Please ask the admin to grant permission(s) or try activating existing roles using <set [default] role>. Current role(s): NONE. Inactivated role(s): NONE.')
-- !result
execute as root with no revert;
-- result:
-- !result
Expand Down
4 changes: 4 additions & 0 deletions test/sql/test_view/T/test_security_view
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,22 +5,26 @@ create table t2(c3 bigint, c4 bigint);

create view v1 as select * from t1, t2;
create view v2 security invoker as select * from t1, t2;
create view v3 security invoker as select * from v2;

create user if not exists u1;
grant impersonate on user root to u1;
grant select on view v1 to user u1;
grant select on view v2 to user u1;
grant select on view v3 to user u1;

create user if not exists u2;
grant impersonate on user root to u2;
grant select on table t1 to user u2;
grant select on table t2 to user u2;
grant select on view v1 to user u2;
grant select on view v2 to user u2;
grant select on view v3 to user u1;

execute as u1 with no revert;
select * from v1;
select * from v2;
select * from v3;
execute as root with no revert;

execute as u2 with no revert;
Expand Down

0 comments on commit caa2be2

Please sign in to comment.